Fix buffer overflow in COBJMeshFileLoader

author sfan5 <sfan5@live.de>

Mon, 24 Oct 2022 09:07:51 +0000 (11:07 +0200)

committer sfan5 <sfan5@live.de>

Mon, 24 Oct 2022 09:07:51 +0000 (11:07 +0200)
author sfan5 <sfan5@live.de>
Mon, 24 Oct 2022 09:07:51 +0000 (11:07 +0200)
committer sfan5 <sfan5@live.de>
Mon, 24 Oct 2022 09:07:51 +0000 (11:07 +0200)
diff --git a/source/Irrlicht/COBJMeshFileLoader.cpp b/source/Irrlicht/COBJMeshFileLoader.cpp

index 8746eb6196c7febd21770a11689783ee480c0c12..c4fee234da93cebc8578b1575e98abeb65d7d5f1 100644 (file)
--- a/source/Irrlicht/COBJMeshFileLoader.cpp
+++ b/source/Irrlicht/COBJMeshFileLoader.cpp
@@ -526,13 +526,18 @@ const c8* COBJMeshFileLoader::goAndCopyNextWord(c8* outBuf, const c8* inBuf, u32
  \r
  bool COBJMeshFileLoader::retrieveVertexIndices(c8* vertexData, s32* idx, const c8* bufEnd, u32 vbsize, u32 vtsize, u32 vnsize)\r
  {\r
-       c8 word[16] = "";\r
+       const u32 BUFFER_LENGTH = 16;\r
+       c8 word[BUFFER_LENGTH];\r
         const c8* p = goFirstWord(vertexData, bufEnd);\r
         u32 idxType = 0;        // 0 = posIdx, 1 = texcoordIdx, 2 = normalIdx\r
  \r
         u32 i = 0;\r
         while ( p != bufEnd )\r
         {\r
+               if ( i >= BUFFER_LENGTH )\r
+               {\r
+                       return false;\r
+               }\r
                 if ( ( core::isdigit(*p)) || (*p == '-') )\r
                 {\r
                         // build up the number\r
author	sfan5 <sfan5@live.de>
	Mon, 24 Oct 2022 09:07:51 +0000 (11:07 +0200)
committer	sfan5 <sfan5@live.de>
	Mon, 24 Oct 2022 09:07:51 +0000 (11:07 +0200)