From 32873dc5b278218e05bd1630d31a466bb55cdc1f Mon Sep 17 00:00:00 2001
From: Florian Born <flborn@microsoft.com>
Date: Tue, 9 Jan 2024 13:42:33 +0100
Subject: [PATCH] A fuzzed stride could cause the max count to become negative
 and hence wrap around uint

---
 code/AssetLib/glTF2/glTF2Asset.inl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/code/AssetLib/glTF2/glTF2Asset.inl b/code/AssetLib/glTF2/glTF2Asset.inl
index 61964d1b49..41525cc6ff 100644
--- a/code/AssetLib/glTF2/glTF2Asset.inl
+++ b/code/AssetLib/glTF2/glTF2Asset.inl
@@ -1000,10 +1000,10 @@ size_t Accessor::ExtractData(T *&outData, const std::vector<unsigned int> *remap
     outData = new T[usedCount];
 
     if (remappingIndices != nullptr) {
-        const unsigned int maxIndex = static_cast<unsigned int>(maxSize / stride - 1);
+        const unsigned int maxIndexCount = static_cast<unsigned int>(maxSize / stride);
         for (size_t i = 0; i < usedCount; ++i) {
             size_t srcIdx = (*remappingIndices)[i];
-            if (srcIdx > maxIndex) {
+            if (srcIdx >= maxIndexCount) {
                 throw DeadlyImportError("GLTF: index*stride ", (srcIdx * stride), " > maxSize ", maxSize, " in ", getContextForErrorMessages(id, name));
             }
             memcpy(outData + i, data + srcIdx * stride, elemSize);