mirror of
https://github.com/TorqueGameEngines/Torque3D.git
synced 2026-07-03 18:54:28 +00:00
Engine/lib/assimp/code/AssetLib/Q3D/Q3DLoader.cpp: Q3DImporter::InternReadFile reads attacker-controlled 32-bit texture mWidth and mHeight, then computes `unsigned int mul = mWidth * mHeight` and allocates `new aiTexel[mul]`. The pre-existing check only rejects zero dimensions, so a crafted .q3o/.q3s file can make the product overflow 32 bits and wrap to a small value, yielding an undersized allocation. The subsequent fill loop bounded by `end = &begin[mul - 1] + 1` then writes far past the buffer (mul-1 underflows when mul wraps to 0), an out-of-bounds heap write. Add the integer-overflow guard from upstream assimp (the fix that closed assimp/assimp#6358 / CVE-2025-11277) verbatim: after the zero check, reject dimensions whose product would overflow before the multiplication, throwing DeadlyImportError instead. Refs #1765 |
||
|---|---|---|
| .. | ||
| assimp | ||
| bullet | ||
| collada | ||
| convexMath | ||
| glad | ||
| gtest | ||
| lpng | ||
| nativeFileDialogs | ||
| opcode | ||
| openal-soft | ||
| pcre | ||
| recast | ||
| sdl | ||
| sqlite | ||
| squish | ||
| tinyxml2 | ||
| Torque3D/msvc | ||
| zlib | ||
| .clang-tidy | ||
| .gitignore | ||
| CMakeLists.txt | ||
| libsndfile-libsndfile-1.2.2.tar.gz | ||
| Torque_postBuild.cmake | ||
| xiph-flac-1.5.0.tar.gz | ||
| xiph-ogg-v1.3.6.tar.gz | ||
| xiph-opus-v1.5.2.tar.gz | ||
| xiph-theora-v1.2.0.tar.gz | ||
| xiph-vorbis-v1.3.7.tar.gz | ||