Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package assimp for openSUSE:Factory checked in at 2026-02-11 18:47:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/assimp (Old) and /work/SRC/openSUSE:Factory/.assimp.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "assimp" Wed Feb 11 18:47:18 2026 rev:35 rq:1332041 version:6.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/assimp/assimp.changes 2025-06-11 16:20:26.365239199 +0200 +++ /work/SRC/openSUSE:Factory/.assimp.new.1670/assimp.changes 2026-02-11 18:47:39.734390849 +0100 @@ -1,0 +2,479 @@ +Mon Feb 9 12:50:36 UTC 2026 - Christophe Marin <[email protected]> + +- Add upstream changes: + * CVE-2025-5167.patch (CVE-2025-5167) + * CVE-2025-5200.patch (CVE-2025-5200, boo#1243689) + * CVE-2025-2756.patch (CVE-2025-2756, boo#1240026, CVE-2025-2754, boo#1240024) + * 0001-Fix-invalid-verifying-in-OpenDDLParser-parseStringLi.patch + +------------------------------------------------------------------- +Sat Jan 31 08:20:39 UTC 2026 - Christophe Marin <[email protected]> + +- Update to 6.0.4 + * Fix some recently implemented comparisons of token string + * Fix building on Haiku + * Reduce memory consumption in JoinVerticesProcess::ProcessMesh() + significantly + * Fix: Add check for invalid input argument + * Replace an assert by a error log. + * Extension of skinning data export to GLB/GLTF format + * Fix output floating-point values to fbx + * Update ImproveCacheLocality.cpp + * Deep arsdk bone double free + * Fix Spelling error + * use size in order to be compatible with float and double + * Fix: Add missing transformation for normalized normals. + * Fix: Implicit Conversion Error + * Fix add checks for indices + * Update FBXBinaryTokenizer.cpp + * link to external minizip with full path + * utf8 header not found + * Rm unnecessary deg->radian conversion in FBX exporter + * Fix empty mesh handling + * Refactoring: Some cleanups + * Fix invalid read of uint from uvwsrc + * Remove double delete + * fix mesh-name error. + * COLLADA fixes for textures in C4D input + * Use the correct allocator for deleting objects in case of + duplicate animation Ids + * Fix container overflow in MMD parser + * Fix: PLY heap buffer overflow + * Fix: Check if index for mesh access is out of range + * Update FBXConverter.cpp + * FBX: Use correct time scaling + * Drop explicit inclusion of contrib/ headers + * Update Build.md + * Fix buffer overflow in FBX::Util::DecodeBase64() + * Readme.md: correct 2 errors in section headers + * Fix double free in Video::~Video() + * FBXMeshGeometry: solve issue #5116 using patch provided + * Fix target names not being imported on some gLTF2 models + * correct grammar/typographic errors in comments (8 files) + * KHR_materials_specular fixes + * Disable Hunter + * fixed several issues + * Fix leak + * Check validity of archive without parsing + * Fix integer overflow + * Add a test before generating the txture folder + * Build: Disable building zlib for non-windows + * null check. + * fix: KHR_materials_pbrSpecularGlossiness/diffuseFactor convert + to pbrMetallicRoughness/baseColorFactor + * fix building errors for MinGW + * dynamic_cast error. + * Add missing IRR textures + * Update Dockerfile + * Fix handling of X3D IndexedLineSet nodes + * Improve acc file loading + * Readme.md: present hyperlinks in a more uniform style + * FBX Blendshape FullWeight: Vec<Float> -> FullWeight: Vec<Double> + * Fix for issues #5422, #3411, and #5443 -- DXF insert scaling fix + and colour fix + * Update StbCommon.h to stay up-to-date with stb_image.h. + * Introduce aiBuffer + * Add bounds checks to the parsing utilities. + * Fix crash in viewer + * Static code analysis fixes + * Kimkulling/fix bahavior of remove redundat mats + * Fix X importer breakage introduced in commit f844c33 + * Fileformats.md: clarify that import of .blend files is deprecated + * feat:1.add 3mf vertex color read 2.fix 3mf read texture bug + * More GLTF loading hardening + * Update CMakeLists.txt + * Blendshape->Geometry in FBX Export + * Fix identity matrix check + * Fix PyAssimp under Python >= 3.12 and macOS library search support + * Add ISC LICENSE file + * ColladaParser: check values length + * Include defs in not cpp-section + * Add correct double zero check + * Add zlib-header to ZipArchiveIOSystem.h + * Add 2024 to copyright infos + * Append a new setting "AI_CONFIG_EXPORT_FBX_TRANSPARENCY_FACTOR_REFER_TO_OPACITY" + * Eliminate non-ascii comments in clipper + * Fix compilation for MSVC14. + * Add correction of fbx model rotation + * Delete tools/make directory + * Delete packaging/windows-mkzip directory + * Fix #5420 duplicate degrees to radians conversion in fbx importer + * Respect merge identical vertices in ObjExporter + * Fix utDefaultIOStream test under MinGW + * Fix typos + * Add initial macOS support to C4D importer + * Update hunter into CMakeLists.txt + * Fix: add missing import for AI_CONFIG_CHECK_IDENTITY_MATRIX_EPSILON_DEFAULT + * updated json + * Cleanup: Fix review findings + * Update CMakeLists.txt + * CMake: Allow linking draco statically if ASSIMP_BUILD_DRACO_STATIC is set. + * updated minizip to last version + * updated STBIMAGElib + * fix issue #5461 (segfault after removing redundant materials) + * Update ComputeUVMappingProcess.cpp + * add some ASSIMP_INSTALL checks + * Fix SplitByBoneCount typo that prevented node updates + * Q3DLoader: Fix possible material string overflow + * Reverts the changes introduced by commit ad766cb in February 2022. + * fix a collada import bug + * mention IQM loader in Fileformats.md + * Kimkulling/fix pyassimp compatibility + * fix ASE loader crash when *MATERIAL_COUNT or *NUMSUBMTLS is not specified or is 0 + * Add checks for invalid buffer and size + * Make sure for releases revision will be zero + * glTF2Importer: Support .vrm extension + * Prepare v5.4.1 + * Remove deprecated c++11 warnings + * fix ci by disabling tests + * Fix integer overflow + * Assimp viewer fixes + * Optimize readability + * Temporary fix for #5557 GCC 13+ build issue -Warray-bounds + * Fix a bug that could cause assertion failure. + * Fix possible nullptr dereferencing. + * Update ObjFileParser.cpp + * Fix for #5592 Disabled maybe-uninitialized error for AssetLib/Obj/ObjFileParser.cpp + * updated zip + * Postprocessing: Fix endless loop + * Build: Fix compilation for VS-2022 debug mode - warning + * Converted a size_t to mz_uint that was being treated as an error + * Add trim to xml string parsing + * Replace duplicated trim + * Move aiScene constructor + * Move revision.h and revision.h.in to include folder + * Update MDLMaterialLoader.cpp + * Create inno_setup + * clean HunterGate.cmake + * Draft: Update init of aiString + * Fix init aistring issue 5622 inpython module + * update dotnet example + * Make stepfile schema validation more robust. + * fix PLY binary export color from float to uchar + * Some FBXs do not have "Materials" information, which can cause parsing errors + * Fix collada uv channels - temporary was stored and then updated. + * remove ASE parsing break + * FBX-Exporter: Fix nullptr dereferencing + * Fix FBX exporting incorrect bone order + * fixes potential memory leak on malformed obj file + * Update zip.c + * Fixes some uninit bool loads + * Fix names of enum values in docstring of aiProcess_FindDegenerates + * Fix: StackAllocator Undefined Reference fix + * Plx: Fix out of bound access + * Docker: Fix security finding + * Fix potential heapbuffer overflow in md5 parsing + * Replace raw pointers by std::string + * Fix compile warning + * Allow empty slots in mTextureCoords + * [USD] Integrate "tinyusdz" project + * Kimkulling/fix double precision tests + * Update Python structs with missing fields that were causing core dumps + * Introduce interpolation mode to vectro and quaternion keys + * Fix a fuzz test heap buffer overflow in mdl material loader + * Mosfet80 updatedpoli2tri + * CalcTangents: zero vector is invalid for tangent/bitangent + * Fix: A fuzzed stride could cause the max count to become negative and + hence wrap around uint + * Return false instead of crash + * Make coord transfor for hs1 files optional + * Update DefaultIOSystem.cpp + * FBX exporter - handle multiple vertex color channels + * Fixing static builds on Windows + * Added ADD condition in poly2tri dll_symbol.h to only define macros for + dynamic library linking if assimp is ordered to build as DLL + * Fix MSVC PDBs and permit them to be disabled if required + * Use DRACO_GLTF_BITSTREAM + * include Exceptional.h in 3DSExporter.cpp + * Remove recursive include + * Fix: Possible out-of-bound read in findDegenerate + * Revert variable name + * Add compile option /source-charset:utf-8 for MSVC + * Fix leak in loader + * Expose aiGetEmbeddedTexture to C-API + * Sparky kitty studios master + * Added more Maya materials + * Fix to check both types of slashes in GetShortFilename + * Fix copying private data when source pointer is NULL + * Fix potential memory leak in SceneCombiner for LWS/IRR/MD3 loader + * Fix to correctly determine 'multi-configuration' on Windows + * Fix casting typo in D3MFExporter::writeBaseMaterials + * FBX: add metadata of ainode as properties + * feat: add option for creating XCFramework and configure minimum iOS target + * Update PyAssimp structs with Skeleton & SkeletonBone members + * The total length is incorrect when exporting gltf2 + * build: Add ccache support + * Update ccpp.yml + * Ply-Importer: Fix vulnerability + * Zero-length mChildren arrays should be nullptr + * Allow usage of pugixml from a superproject + * Prevents PLY from parsing duplicate defined elements + * Add option to ignore FBX custom axes + * Kimkulling/mark blender versions as not supported + * Fix leak + * Fix invalid access + * Fix buffer overflow in MD3Loader + * Fix stack overflow + * FBX Import - Restored Absolute Transform Calculation + * Fix naming in aiMaterial comment + * Update dll_symbol.h + * Fix for build with ASSIMP_BUILD_NO_VALIDATEDS_PROCESS + * Update CMakeLists.txt + * FBX Blendshapes: Do not require normals + * Update Build.md + * SplitLargeMeshes: Fix crash + * Installer: fix images for installer + * Bugfix/installer add missing images + * Fix bug introduced in commit 168ae22 of 27 Oct 2019 + * Fix issue 5767: Can't load USD from memory + * Fix FBX animation bug (issue 3390) + * [Fix issue 5823] Hotfix for broken lightwave normals + * Fixed bug in DefaultLogger::set + * Fix a bug in the assbin loader that reads uninitialized memory + * Fix issue 2889 (molecule_ascii.cob load failure): change integers to + floating point values in color triplets + * Add unit tests for X3D models which were broken at 5 Oct 2020 commit 3b9d4cf + * Update inno_setup-actions + * Simplify re-enabling M3D build support + * Update hunter + * Store current exception when caught in ASSIMP_CATCH_GLOBAL_EXCEPTIONS + * Fix issue 5816 (cone.nff load failure): repair faulty line in 3D model file + * Readme: Add project activity view item + * Cleanup Unit Tests Output + * USD Skinned Mesh + * Update tinyusdz + * +Add vertex duplication during face normal generation + * Fix use of uninitialized value. + * Update CMakeLists.txt to fix gcc/clang++ issue + * Add reference screenshots for complex bundled test 3D model files + * Obj: Fix Sonarcube findings + * Try to resolve image paths by replacing backslashes or forward slashes + in EmbedTexturesProcess + * Material: Fix the build for c compiler + * Material: Fix sonarcube finding + * Remove strcpy. + * Fix potential uninitialized variable in clipper + * Check that mMaterials not null before access + * Cleanup: Delete code/.editorconfig + * Readme.md: Add sonarcube badge + * Obj: fix nullptr access. + * Update cpp-pm / hunter + * Add CI to automatically build and attach binaries to releases + * Simplify JoinVerticesProcess + * USD Keyframe Animations + * Fix compiler error when double precision is selected, + * Synchronize DefaultLogger + * Do not create GLTF Mesh if no faces + * FBX Blendshape: export float & same # verts + * bugfix: Fixed the issue that draco compressed gltf files cannot be + loaded normally + * pbrt: Validate mesh in WriteMesh before AttributeBegin call + * Introducing assimp Guru on Gurubase.io + * Fix: Fix build for mingw10 + * Fix use after free in the CallbackToLogRedirector + * USD Mesh Node Fix + * Fixed warnings + * Replace C# port with maintained fork + * Fix heap-buffer-overflow in OpenDDLParser + * Fix parsing of comments at the end of lines for tokens with variable + number of elements. + * Fix buffer overflow in MD5Parser::SkipSpacesAndLineEnd + * Fix: Fix name collision + * Bug/evaluate matrix4x4 access + * glTF importers: Avoid strncpy truncating away the ' \0' character + * Export tangents in GLTF + * Disable logs for fuzzer by default + * Fix docs for aiImportFileExWithProperties to not talk about the importer + keeping the Scene alive + * Fix stack overflow in LWS loader + * Introduce VRML format (.wrl and .x3dv) 3D model support + * Verify negative values in Quake1 MDL header + * Fix heap buffer overflow in HMP loader + * pragma warning bug fix when using g++ on windows + * AssbinImporter::ReadInternFile now closes stream before throwing + * Updated Material.cpp to Add Missing Texture Types to String + * Docker: Optimize usage + * Bugfix/cosmetic code cleanup + * Add arm64-simulator support to iOS build script ++++ 182 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/assimp/assimp.changes ++++ and /work/SRC/openSUSE:Factory/.assimp.new.1670/assimp.changes Old: ---- assimp-6.0.2.tar.xz New: ---- 0001-Fix-invalid-verifying-in-OpenDDLParser-parseStringLi.patch CVE-2025-2756.patch CVE-2025-5167.patch CVE-2025-5200.patch assimp-6.0.4.tar.xz ----------(New B)---------- New: * CVE-2025-2756.patch (CVE-2025-2756, boo#1240026, CVE-2025-2754, boo#1240024) * 0001-Fix-invalid-verifying-in-OpenDDLParser-parseStringLi.patch New: * CVE-2025-5200.patch (CVE-2025-5200, boo#1243689) * CVE-2025-2756.patch (CVE-2025-2756, boo#1240026, CVE-2025-2754, boo#1240024) * 0001-Fix-invalid-verifying-in-OpenDDLParser-parseStringLi.patch New:- Add upstream changes: * CVE-2025-5167.patch (CVE-2025-5167) * CVE-2025-5200.patch (CVE-2025-5200, boo#1243689) New: * CVE-2025-5167.patch (CVE-2025-5167) * CVE-2025-5200.patch (CVE-2025-5200, boo#1243689) * CVE-2025-2756.patch (CVE-2025-2756, boo#1240026, CVE-2025-2754, boo#1240024) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ assimp.spec ++++++ --- /var/tmp/diff_new_pack.dZjU5j/_old 2026-02-11 18:47:41.262455020 +0100 +++ /var/tmp/diff_new_pack.dZjU5j/_new 2026-02-11 18:47:41.266455188 +0100 @@ -1,7 +1,7 @@ # # spec file for package assimp # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define sover 6 Name: assimp -Version: 6.0.2 +Version: 6.0.4 Release: 0 Summary: Library to load and process 3D scenes from various data formats License: BSD-3-Clause AND MIT @@ -26,6 +26,14 @@ Source0: %{name}-%{version}.tar.xz # PATCH-FIX-UPSTREAM -- don't reject 'find_package(assimp 5)' calls Patch0: 0001-Accept-find_package-Assimp-5.x-calls.patch +# PATCH-FIX-UPSTREAM +Patch1: CVE-2025-5167.patch +# PATCH-FIX-UPSTREAM +Patch2: CVE-2025-5200.patch +# PATCH-FIX-UPSTREAM +Patch3: CVE-2025-2756.patch +# PATCH-FIX-UPSTREAM +Patch4: 0001-Fix-invalid-verifying-in-OpenDDLParser-parseStringLi.patch BuildRequires: cmake >= 3.22 BuildRequires: gcc-c++ BuildRequires: pkgconfig @@ -132,7 +140,7 @@ %{_libdir}/libassimp.so.* %files devel -%doc CHANGES CREDITS +%doc CHANGES.md CREDITS %{_bindir}/assimp %{_includedir}/assimp/ %{_libdir}/libassimp.so ++++++ 0001-Fix-invalid-verifying-in-OpenDDLParser-parseStringLi.patch ++++++ >From 36c3a19aa853d75c7cb2bb843dd75468f001ab66 Mon Sep 17 00:00:00 2001 From: Kyungjoon Ko <[email protected]> Date: Fri, 6 Feb 2026 21:34:23 +0900 Subject: [PATCH] Fix invalid verifying in OpenDDLParser::parseStringLiteral (#6314) Co-authored-by: Kim Kulling <[email protected]> --- contrib/openddlparser/code/OpenDDLParser.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp index 1e14f5fd0..e065f9410 100644 --- a/contrib/openddlparser/code/OpenDDLParser.cpp +++ b/contrib/openddlparser/code/OpenDDLParser.cpp @@ -796,10 +796,13 @@ char *OpenDDLParser::parseStringLiteral(char *in, char *end, Value **stringData) if (*start == '\"') { ++start; ++in; - while (*in != '\"' && in != end) { + while (in != end && *in != '\"') { ++in; ++len; } + if (in == end) { + return in; + } *stringData = ValueAllocator::allocPrimData(Value::ValueType::ddl_string, len); ::strncpy((char *)(*stringData)->m_data, start, len); -- 2.52.0 ++++++ CVE-2025-2756.patch ++++++ >From ae6633ef8a8b686a7a080e9ad65fc77fd712e4b4 Mon Sep 17 00:00:00 2001 From: peng <[email protected]> Date: Thu, 29 Jan 2026 04:33:55 +0800 Subject: [PATCH] Fix AC3DImporter heap-buffer-overflow by validating mesh vertex bounds (#6458) Add validations check in AC3DImporter::ConvertObjectSection to ensure that writing TriangleStrip vertex data does not exceed mesh->mNumVertices allocation. Fixes #6015 (CVE-2025-2754) Fixes #6018 (CVE-2025-2756) Signed-off-by: mapengyuan <[email protected]> --- code/AssetLib/AC/ACLoader.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code/AssetLib/AC/ACLoader.cpp b/code/AssetLib/AC/ACLoader.cpp index 006c00cac..df86ce92c 100644 --- a/code/AssetLib/AC/ACLoader.cpp +++ b/code/AssetLib/AC/ACLoader.cpp @@ -607,6 +607,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object, const Surface::SurfaceEntry &entry1 = src.entries[i]; const Surface::SurfaceEntry &entry2 = src.entries[i + 1]; const Surface::SurfaceEntry &entry3 = src.entries[i + 2]; + const unsigned int verticesNeeded = isDoubleSided ? 6 : 3; + if (static_cast<unsigned>(vertices - mesh->mVertices) + verticesNeeded > mesh->mNumVertices) { + throw DeadlyImportError("AC3D: Invalid number of vertices"); + } aiFace &face = *faces++; face.mNumIndices = 3; @@ -661,6 +665,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object, unsigned int tmp = (unsigned int)(*it).entries.size(); if (Surface::OpenLine == type) --tmp; for (unsigned int m = 0; m < tmp; ++m) { + if (static_cast<unsigned>(vertices - mesh->mVertices) + 2 > mesh->mNumVertices) { + throw DeadlyImportError("AC3D: Invalid number of vertices"); + } + aiFace &face = *faces++; face.mNumIndices = 2; -- 2.52.0 ++++++ CVE-2025-5167.patch ++++++ >From 7fd443b850b16119f12de7b673cf7cfad7f92179 Mon Sep 17 00:00:00 2001 From: peng <[email protected]> Date: Wed, 4 Feb 2026 02:21:06 +0800 Subject: [PATCH] LWO: Fix heap buffer overflow in LWOImporter::GetS0 (#6451) * LWO: Fix heap buffer overflow in LWOImporter::GetS0 * Add strict buffer boundary checks to prevent out-of-bounds reads on malformed or unterminated strings. Fixes #6169 (CVE-2025-5167) --- code/AssetLib/LWO/LWOLoader.cpp | 27 +------ code/AssetLib/LWO/LWOLoader.h | 132 ++++++++++++++++---------------- 2 files changed, 70 insertions(+), 89 deletions(-) diff --git a/code/AssetLib/LWO/LWOLoader.cpp b/code/AssetLib/LWO/LWOLoader.cpp index 258bfbd..70f1985 100644 --- a/code/AssetLib/LWO/LWOLoader.cpp +++ b/code/AssetLib/LWO/LWOLoader.cpp @@ -64,7 +64,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. using namespace Assimp; -static const aiImporterDesc desc = { +static constexpr aiImporterDesc desc = { "LightWave/Modo Object Importer", "", "", @@ -77,30 +77,6 @@ static const aiImporterDesc desc = { "lwo lxo" }; -// ------------------------------------------------------------------------------------------------ -// Constructor to be privately used by Importer -LWOImporter::LWOImporter() : - mIsLWO2(), - mIsLXOB(), - mIsLWO3(), - mLayers(), - mCurLayer(), - mTags(), - mMapping(), - mSurfaces(), - mFileBuffer(), - fileSize(), - mScene(nullptr), - configSpeedFlag(), - configLayerIndex(), - hasNamedLayer() { - // empty -} - -// ------------------------------------------------------------------------------------------------ -// Destructor, private as well -LWOImporter::~LWOImporter() = default; - // ------------------------------------------------------------------------------------------------ // Returns whether the class can handle the format of the given file. bool LWOImporter::CanRead(const std::string &file, IOSystem *pIOHandler, bool /*checkSig*/) const { @@ -155,6 +131,7 @@ void LWOImporter::InternReadFile(const std::string &pFile, } mFileBuffer = &mBuffer[0] + 12; + mFileBufferEnd = &mBuffer[0] + fileSize; fileSize -= 12; // Initialize some members with their default values diff --git a/code/AssetLib/LWO/LWOLoader.h b/code/AssetLib/LWO/LWOLoader.h index 71920e9..ac6f2aa 100644 --- a/code/AssetLib/LWO/LWOLoader.h +++ b/code/AssetLib/LWO/LWOLoader.h @@ -56,6 +56,7 @@ struct aiNode; struct aiMaterial; namespace Assimp { + using namespace LWO; // --------------------------------------------------------------------------- @@ -68,10 +69,17 @@ using namespace LWO; * they aren't specific to one format version */ // --------------------------------------------------------------------------- -class LWOImporter : public BaseImporter { +class LWOImporter final : public BaseImporter { public: - LWOImporter(); - ~LWOImporter() override; + /** + * @brief The class constructor. + */ + LWOImporter() = default; + + /** + * @brief The class destructor. + */ + ~LWOImporter() override = default; // ------------------------------------------------------------------- /** Returns whether the class can handle the format of the given file. @@ -113,13 +121,13 @@ private: // ------------------------------------------------------------------- /** Parsing functions used for all file format versions */ - inline void GetS0(std::string &out, unsigned int max); - inline float GetF4(); - inline float GetF8(); - inline uint64_t GetU8(); - inline uint32_t GetU4(); - inline uint16_t GetU2(); - inline uint8_t GetU1(); + void GetS0(std::string &out, unsigned int max); + float GetF4(); + float GetF8(); + uint64_t GetU8(); + uint32_t GetU4(); + uint16_t GetU2(); + uint8_t GetU1(); // ------------------------------------------------------------------- /** Loads a surface chunk from an LWOB file @@ -353,57 +361,44 @@ private: LWO::Texture *SetupNewTextureLWOB(LWO::TextureList &list, unsigned int size); -protected: - /** true if the file is a LWO2 file*/ - bool mIsLWO2; - - /** true if the file is a LXOB file*/ - bool mIsLXOB; - - bool mIsLWO3; - - /** Temporary list of layers from the file */ - LayerList *mLayers; - - /** Pointer to the current layer */ - LWO::Layer *mCurLayer; - - /** Temporary tag list from the file */ - TagList *mTags; - - /** Mapping table to convert from tag to surface indices. - UINT_MAX indicates that a no corresponding surface is available */ - TagMappingTable *mMapping; - - /** Temporary surface list from the file */ - SurfaceList *mSurfaces; - - /** Temporary clip list from the file */ - ClipList mClips; - - /** Temporary envelope list from the file */ - EnvelopeList mEnvelopes; - - /** file buffer */ - uint8_t *mFileBuffer; - - /** Size of the file, in bytes */ - unsigned int fileSize; - - /** Output scene */ - aiScene *mScene; - - /** Configuration option: speed flag set? */ - bool configSpeedFlag; - - /** Configuration option: index of layer to be loaded */ - unsigned int configLayerIndex; - - /** Configuration option: name of layer to be loaded */ - std::string configLayerName; - - /** True if we have a named layer */ - bool hasNamedLayer; +private: + /// true if the file is a LWO2 file + bool mIsLWO2{false}; + /// true if the file is a LXOB file + bool mIsLXOB{false}; + /// true if the file is a LWO3 file + bool mIsLWO3{false}; + /// Temporary list of layers from the file + LayerList *mLayers{nullptr}; + /// Pointer to the current layer + LWO::Layer *mCurLayer{nullptr}; + /// Temporary tag list from the file + TagList *mTags{nullptr}; + /// Mapping table to convert from tag to surface indices. + // UINT_MAX indicates that a no corresponding surface is available + TagMappingTable *mMapping{nullptr}; + /// Temporary surface list from the file + SurfaceList *mSurfaces{nullptr}; + /// Temporary clip list from the file + ClipList mClips{}; + /// Temporary envelope list from the file + EnvelopeList mEnvelopes{}; + /// Pointer to the file buffer + uint8_t *mFileBuffer{nullptr}; + /// Size of the file, in bytes + unsigned int fileSize{0u}; + /// End of the file buffer (for bounds checking) + uint8_t *mFileBufferEnd{nullptr}; + /// Output scene + aiScene *mScene{nullptr}; + /// Configuration option: speed flag set? + bool configSpeedFlag{false}; + /// Configuration option: index of layer to be loaded + unsigned int configLayerIndex{0}; + /// Configuration option: name of layer to be loaded */ + std::string configLayerName{}; + /// True if we have a named layer + bool hasNamedLayer{false}; }; // ------------------------------------------------------------------------------------------------ @@ -415,6 +410,7 @@ inline float LWOImporter::GetF4() { return f; } +// ------------------------------------------------------------------------------------------------ inline float LWOImporter::GetF8() { double f; ::memcpy(&f, mFileBuffer, 8); @@ -423,6 +419,7 @@ inline float LWOImporter::GetF8() { return (float)f; } +// ------------------------------------------------------------------------------------------------ inline uint64_t LWOImporter::GetU8() { uint64_t f; ::memcpy(&f, mFileBuffer, 8); @@ -482,16 +479,23 @@ inline int LWOImporter::ReadVSizedIntLWO2(uint8_t *&inout) { inline void LWOImporter::GetS0(std::string &out, unsigned int max) { unsigned int iCursor = 0; const char *sz = (const char *)mFileBuffer; - while (*mFileBuffer) { + while (mFileBuffer < mFileBufferEnd && *mFileBuffer) { if (++iCursor > max) { - ASSIMP_LOG_WARN("LWO: Invalid file, string is is too long"); + ASSIMP_LOG_WARN("LWO: Invalid file, string is too long"); break; } ++mFileBuffer; } size_t len = (size_t)((const char *)mFileBuffer - sz); out = std::string(sz, len); - mFileBuffer += (len & 0x1 ? 1 : 2); + + const size_t skip = (len & 0x1 ? 1u : 2u); + const size_t remaining = static_cast<size_t>(mFileBufferEnd - mFileBuffer); + if (remaining < skip) { + mFileBuffer = mFileBufferEnd; + } else { + mFileBuffer += skip; + } } } // end of namespace Assimp -- 2.52.0 ++++++ CVE-2025-5200.patch ++++++ >From 18798f150d5baaccedca6a2d7ea343a252c948ee Mon Sep 17 00:00:00 2001 From: peng <[email protected]> Date: Fri, 30 Jan 2026 04:10:18 +0800 Subject: [PATCH] MDL: Fix heap buffer overflow in MDLImporter frame parsing (#6456) Add buffer boundary checks before reading frame data to prevent out-of-bounds reads on malformed MDL files. Fixes #6172 (CVE-2025-5200) Signed-off-by: mapengyuan <[email protected]> Co-authored-by: Kim Kulling <[email protected]> --- code/AssetLib/MDL/MDLLoader.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/code/AssetLib/MDL/MDLLoader.cpp b/code/AssetLib/MDL/MDLLoader.cpp index 9a0ae81d3..3a3dec955 100644 --- a/code/AssetLib/MDL/MDLLoader.cpp +++ b/code/AssetLib/MDL/MDLLoader.cpp @@ -450,12 +450,14 @@ void MDLImporter::InternReadFile_Quake1() { BE_NCONST MDL::Frame *pcFrames = (BE_NCONST MDL::Frame *)szCurrent; MDL::SimpleFrame *pcFirstFrame; + VALIDATE_FILE_SIZE((const unsigned char *)(pcFrames + 1)); if (0 == pcFrames->type) { // get address of single frame pcFirstFrame = (MDL::SimpleFrame *)&pcFrames->frame; } else { // get the first frame in the group BE_NCONST MDL::GroupFrame *pcFrames2 = (BE_NCONST MDL::GroupFrame *)szCurrent; + VALIDATE_FILE_SIZE((const unsigned char *)(pcFrames2 + 1)); pcFirstFrame = (MDL::SimpleFrame *)( szCurrent + sizeof(MDL::GroupFrame::type) + sizeof(MDL::GroupFrame::numframes) + sizeof(MDL::GroupFrame::min) + sizeof(MDL::GroupFrame::max) + sizeof(*MDL::GroupFrame::times) * pcFrames2->numframes ); } @@ -703,6 +705,7 @@ void MDLImporter::InternReadFile_3DGS_MDL345() { // now get a pointer to the first frame in the file BE_NCONST MDL::Frame *pcFrames = (BE_NCONST MDL::Frame *)szCurrent; + VALIDATE_FILE_SIZE((const unsigned char *)(pcFrames + 1)); AI_SWAP4(pcFrames->type); // byte packed vertices @@ -1173,6 +1176,7 @@ bool MDLImporter::ProcessFrames_3DGS_MDL7(const MDL::IntGroupInfo_MDL7 &groupInf for (unsigned int iFrame = 0; iFrame < (unsigned int)groupInfo.pcGroup->numframes; ++iFrame) { MDL::IntFrameInfo_MDL7 frame((BE_NCONST MDL::Frame_MDL7 *)szCurrent, iFrame); + VALIDATE_FILE_SIZE((const unsigned char *)(frame.pcFrame + 1)); AI_SWAP4(frame.pcFrame->vertices_count); AI_SWAP4(frame.pcFrame->transmatrix_count); -- 2.52.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.dZjU5j/_old 2026-02-11 18:47:41.434462243 +0100 +++ /var/tmp/diff_new_pack.dZjU5j/_new 2026-02-11 18:47:41.458463251 +0100 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">https://github.com/assimp/assimp</param> - <param name="revision">v6.0.2</param> + <param name="revision">v6.0.4</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <!-- non-OSI media --> ++++++ assimp-6.0.2.tar.xz -> assimp-6.0.4.tar.xz ++++++ /work/SRC/openSUSE:Factory/assimp/assimp-6.0.2.tar.xz /work/SRC/openSUSE:Factory/.assimp.new.1670/assimp-6.0.4.tar.xz differ: char 15, line 1
