Torque3D/Engine
dkgkdfg65 fa8dd7decc Fix heap-buffer-overflow in vendored assimp Quick3D importer (CVE-2025-11277)
Engine/lib/assimp/code/AssetLib/Q3D/Q3DLoader.cpp:
Q3DImporter::InternReadFile reads attacker-controlled 32-bit texture
mWidth and mHeight, then computes `unsigned int mul = mWidth * mHeight`
and allocates `new aiTexel[mul]`. The pre-existing check only rejects
zero dimensions, so a crafted .q3o/.q3s file can make the product
overflow 32 bits and wrap to a small value, yielding an undersized
allocation. The subsequent fill loop bounded by
`end = &begin[mul - 1] + 1` then writes far past the buffer
(mul-1 underflows when mul wraps to 0), an out-of-bounds heap write.

Add the integer-overflow guard from upstream assimp (the fix that
closed assimp/assimp#6358 / CVE-2025-11277) verbatim: after the
zero check, reject dimensions whose product would overflow before
the multiplication, throwing DeadlyImportError instead.

Refs #1765
2026-06-10 01:25:46 +08:00
..
bin add missing exe files 2024-05-01 15:54:03 +01:00
lib Fix heap-buffer-overflow in vendored assimp Quick3D importer (CVE-2025-11277) 2026-06-10 01:25:46 +08:00
modules/Verve (Mostly) updated verve implementation. 2019-03-07 16:23:41 -06:00
source Update convexShape.cpp 2026-06-08 21:43:58 +01:00
CMakeLists.txt * Adjustment: Initial CMake reworking. 2022-05-13 23:42:41 -04:00