Merge pull request #69 from pic4xiu/master

Avoid out of bounds when calculating b.URI[startPos:]
qmuntal · Jul 18, 2023 · f894395 · f894395
2 parents 7ed65a3 + bbe10e4
commit f894395
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/gltf.go b/gltf.go
@@ -2,6 +2,7 @@ package gltf
 
 import (
 	"encoding/base64"
+	"errors"
 	"strings"
 	"sync"
 )
@@ -133,6 +134,9 @@ func (b *Buffer) marshalData() ([]byte, error) {
 		return nil, nil
 	}
 	startPos := len(mimetypeApplicationOctet) + 1
+	if len(b.URI) < startPos {
+		return nil, errors.New("gltf: Invalid base64 content")
+	}
 	sl, err := base64.StdEncoding.DecodeString(b.URI[startPos:])
 	if len(sl) == 0 || err != nil {
 		return nil, err

diff --git a/gltf_test.go b/gltf_test.go
@@ -96,6 +96,7 @@ func TestBuffer_marshalData(t *testing.T) {
 		{"empty", &Buffer{URI: "data:application/octet-stream;base64,"}, nil, false},
 		{"test", &Buffer{URI: "data:application/octet-stream;base64,TEST"}, []byte{76, 68, 147}, false},
 		{"complex", &Buffer{URI: "data:application/octet-stream;base64,YW55IGNhcm5hbCBwbGVhcw=="}, []byte{97, 110, 121, 32, 99, 97, 114, 110, 97, 108, 32, 112, 108, 101, 97, 115}, false},
+		{"invalid", &Buffer{URI: "data:application/octet-stream;base64"}, nil, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {