From 18d189830942f717e584cc1d200118abc849f321 Mon Sep 17 00:00:00 2001 From: Gordon MacPherson Date: Mon, 14 Dec 2020 21:42:01 +0000 Subject: [PATCH] [fbx] Fix #44371 #44376 File crash and Buffer Overflow Fixes: - Element collection will only contain valid elements. - Fixes buffer overflow in the FBX document --- modules/fbx/editor_scene_importer_fbx.cpp | 2 +- modules/fbx/fbx_parser/FBXMeshGeometry.cpp | 2 +- modules/fbx/fbx_parser/FBXTokenizer.cpp | 11 ++++++++--- modules/fbx/fbx_parser/FBXTokenizer.h | 2 +- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/modules/fbx/editor_scene_importer_fbx.cpp b/modules/fbx/editor_scene_importer_fbx.cpp index debd64eb3d9..b4467dfc882 100644 --- a/modules/fbx/editor_scene_importer_fbx.cpp +++ b/modules/fbx/editor_scene_importer_fbx.cpp @@ -128,7 +128,7 @@ Node *EditorSceneImporterFBX::import_scene(const String &p_path, uint32_t p_flag FBXDocParser::TokenizeBinary(tokens, (const char *)data.write().ptr(), (size_t)data.size()); } else { print_verbose("[doc] is ascii"); - FBXDocParser::Tokenize(tokens, (const char *)data.write().ptr()); + FBXDocParser::Tokenize(tokens, (const char *)data.write().ptr(), (size_t)data.size()); } // The import process explained: diff --git a/modules/fbx/fbx_parser/FBXMeshGeometry.cpp b/modules/fbx/fbx_parser/FBXMeshGeometry.cpp index 6c6bfbdb093..84805cf86b7 100644 --- a/modules/fbx/fbx_parser/FBXMeshGeometry.cpp +++ b/modules/fbx/fbx_parser/FBXMeshGeometry.cpp @@ -182,7 +182,7 @@ MeshGeometry::MeshGeometry(uint64_t id, const ElementPtr element, const std::str // This is stupid, because it means we select them ALL not just the one we want. // but it's fine we can match by id. - GetRequiredElement(top, layer_type_name); + const ElementCollection &candidates = top->GetCollection(layer_type_name); ElementMap::const_iterator iter; diff --git a/modules/fbx/fbx_parser/FBXTokenizer.cpp b/modules/fbx/fbx_parser/FBXTokenizer.cpp index e8eee2607d7..c9bf5167166 100644 --- a/modules/fbx/fbx_parser/FBXTokenizer.cpp +++ b/modules/fbx/fbx_parser/FBXTokenizer.cpp @@ -142,7 +142,7 @@ void ProcessDataToken(TokenList &output_tokens, const char *&start, const char * } // namespace // ------------------------------------------------------------------------------------------------ -void Tokenize(TokenList &output_tokens, const char *input) { +void Tokenize(TokenList &output_tokens, const char *input, size_t length) { // line and column numbers numbers are one-based unsigned int line = 1; unsigned int column = 1; @@ -152,8 +152,13 @@ void Tokenize(TokenList &output_tokens, const char *input) { bool pending_data_token = false; const char *token_begin = nullptr, *token_end = nullptr; - for (const char *cur = input; *cur; column += (*cur == '\t' ? ASSIMP_FBX_TAB_WIDTH : 1), ++cur) { - const char c = *cur; + + // input (starting string), *cur the current string, column += + // modified to fix strlen() and stop buffer overflow + for (size_t x = 0; x < length; x++) { + const char c = input[x]; + const char *cur = &input[x]; + column += (c == '\t' ? ASSIMP_FBX_TAB_WIDTH : 1); if (IsLineEnd(c)) { comment = false; diff --git a/modules/fbx/fbx_parser/FBXTokenizer.h b/modules/fbx/fbx_parser/FBXTokenizer.h index 2515f9a4e04..327483d9652 100644 --- a/modules/fbx/fbx_parser/FBXTokenizer.h +++ b/modules/fbx/fbx_parser/FBXTokenizer.h @@ -187,7 +187,7 @@ typedef std::vector TokenList; * @param output_tokens Receives a list of all tokens in the input data. * @param input_buffer Textual input buffer to be processed, 0-terminated. * @print_error if something goes wrong */ -void Tokenize(TokenList &output_tokens, const char *input); +void Tokenize(TokenList &output_tokens, const char *input, size_t length); /** Tokenizer function for binary FBX files. *