MDC: Fix MDCImporter surface header bounds and endianness checks (#6440)

- Validate ulOffsetEnd in MDCImporter::ValidateSurfaceHeader to prevent pcSurface2 from moving past the MDC buffer(fixes #6167, CVE-2025-5165). - Apply AI_SWAP4 to ulOffsetShaders before using it in bounds checks. Signed-off-by: mapengyuan <mapengyuan@xfusion.com> Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
2026-01-18 17:11:20 +01:00 · 2026-01-15 20:23:54 +08:00
parent d8a9074cd0
commit d1e6bcff6b
1 changed files with 3 additions and 1 deletions
--- a/code/AssetLib/MDC/MDCLoader.cpp
+++ b/code/AssetLib/MDC/MDCLoader.cpp
@@ -160,6 +160,7 @@ void MDCImporter::ValidateSurfaceHeader(BE_NCONST MDC::Surface *pcSurf) {
    AI_SWAP4(pcSurf->ulOffsetTexCoords);
    AI_SWAP4(pcSurf->ulOffsetBaseVerts);
    AI_SWAP4(pcSurf->ulOffsetCompVerts);
+    AI_SWAP4(pcSurf->ulOffsetShaders);
    AI_SWAP4(pcSurf->ulOffsetFrameBaseFrames);
    AI_SWAP4(pcSurf->ulOffsetFrameCompFrames);
    AI_SWAP4(pcSurf->ulOffsetEnd);
@@ -172,7 +173,8 @@ void MDCImporter::ValidateSurfaceHeader(BE_NCONST MDC::Surface *pcSurf) {
            pcSurf->ulOffsetTexCoords + pcSurf->ulNumVertices * sizeof(MDC::TexturCoord) > iMax ||
            pcSurf->ulOffsetShaders + pcSurf->ulNumShaders * sizeof(MDC::Shader) > iMax ||
            pcSurf->ulOffsetFrameBaseFrames + pcSurf->ulNumBaseFrames * 2 > iMax ||
-            (pcSurf->ulNumCompFrames && pcSurf->ulOffsetFrameCompFrames + pcSurf->ulNumCompFrames * 2 > iMax)) {
+            (pcSurf->ulNumCompFrames && pcSurf->ulOffsetFrameCompFrames + pcSurf->ulNumCompFrames * 2 > iMax) ||
+            pcSurf->ulOffsetEnd > iMax) {
        throw DeadlyImportError("Some of the offset values in the MDC surface header "
                                "are invalid and point somewhere behind the file.");
    }