packages/assimp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:c57107ab7f76f0eaf5a6aeb113b7d60438725210
Branches Tags
packages:main
..
compare: packages:192ce75243da891d9e9d3e6da3f43b61cf30dc35
Branches Tags
packages:main

No commits in common. "c57107ab7f76f0eaf5a6aeb113b7d60438725210" and "192ce75243da891d9e9d3e6da3f43b61cf30dc35" have entirely different histories.
c57107ab7f ... 192ce75243

12 changed files with 1 additions and 673 deletions
Show Stats Expand all files Collapse all files

133
CVE-2024-48423-pre-Fix-leak-5762.patch
View File

@ -1,133 +0,0 @@
From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Sat, 7 Sep 2024 21:02:34 +0200
Subject: [PATCH] Fix leak (#5762)
* Fix leak
* Update utLogger.cpp
---
code/Common/Assimp.cpp | 13 ++++++---
fuzz/assimp_fuzzer.cc | 2 +-
test/CMakeLists.txt | 1 +
test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++
4 files changed, 63 insertions(+), 5 deletions(-)
create mode 100644 test/unit/Common/utLogger.cpp
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index ef3ee7b5d8..91896e4059 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) {
s->write(msg);
}
+static LogStream *DefaultStream = nullptr;
+
// ------------------------------------------------------------------------------------------------
ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) {
aiLogStream sout;
ASSIMP_BEGIN_EXCEPTION_REGION();
- LogStream *stream = LogStream::createDefaultStream(pStream, file);
- if (!stream) {
+ if (DefaultStream == nullptr) {
+ DefaultStream = LogStream::createDefaultStream(pStream, file);
+ }
+
+ if (!DefaultStream) {
sout.callback = nullptr;
sout.user = nullptr;
} else {
sout.callback = &CallbackToLogRedirector;
- sout.user = (char *)stream;
+ sout.user = (char *)DefaultStream;
}
- gPredefinedStreams.push_back(stream);
+ gPredefinedStreams.push_back(DefaultStream);
ASSIMP_END_EXCEPTION_REGION(aiLogStream);
return sout;
}
diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc
index 8178674e82..91ffd9d692 100644
--- a/fuzz/assimp_fuzzer.cc
+++ b/fuzz/assimp_fuzzer.cc
@@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
using namespace Assimp;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) {
- aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL);
+ aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
aiAttachLogStream(&stream);
Importer importer;
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 7b7fd850ae..1a45adac7e 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -100,6 +100,7 @@ SET( COMMON
unit/Common/utBase64.cpp
unit/Common/utHash.cpp
unit/Common/utBaseProcess.cpp
+ unit/Common/utLogger.cpp
)
SET(Geometry
diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp
new file mode 100644
index 0000000000..932240a7f6
--- /dev/null
+++ b/test/unit/Common/utLogger.cpp
@@ -0,0 +1,52 @@
+/*
+---------------------------------------------------------------------------
+Open Asset Import Library (assimp)
+---------------------------------------------------------------------------
+
+Copyright (c) 2006-2024, assimp team
+
+All rights reserved.
+
+Redistribution and use of this software in source and binary forms,
+with or without modification, are permitted provided that the following
+conditions are met:
+
+* Redistributions of source code must retain the above
+copyright notice, this list of conditions and the
+following disclaimer.
+
+* Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the
+following disclaimer in the documentation and/or other
+materials provided with the distribution.
+
+* Neither the name of the assimp team, nor the names of its
+contributors may be used to endorse or promote products
+derived from this software without specific prior
+written permission of the assimp team.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+---------------------------------------------------------------------------
+*/
+
+#include "UnitTestPCH.h"
+#include <assimp/Importer.hpp>
+
+using namespace Assimp;
+class utLogger : public ::testing::Test {};
+
+TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) {
+ aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ ASSERT_EQ(stream1.callback, stream2.callback);
+}

34
CVE-2024-48423.patch
View File

@ -1,34 +0,0 @@
From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Wed, 11 Dec 2024 12:17:14 +0200
Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918)
The heap-use-after-free vulnerability occurs in the
CallbackToLogRedirector function. During the process of logging,
a previously freed memory region is accessed, leading to a
use-after-free condition. This vulnerability stems from incorrect
memory management, specifically, freeing a log stream and then
attempting to access it later on.
This patch sets NULL value for The DefaultStream global pointer.
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
code/Common/Assimp.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index 91896e4059..22e16bd36a 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) {
DefaultLogger::get()->detachStream(it->second);
delete it->second;
+ if ((Assimp::LogStream *)stream->user == DefaultStream) {
+ DefaultStream = nullptr;
+ }
+
gActiveLogStreams.erase(it);
if (gActiveLogStreams.empty()) {

59
CVE-2024-48424.patch
View File

@ -1,59 +0,0 @@
From 2b773f0f5a726c38dda72307b5311c14fc3a76ae Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Mon, 16 Dec 2024 23:48:45 +0200
Subject: [PATCH] Fix heap-buffer-overflow in OpenDDLParser (#5919)
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
contrib/openddlparser/code/OpenDDLParser.cpp | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp
index 3d7dce45ec..26591b5ec8 100644
--- a/contrib/openddlparser/code/OpenDDLParser.cpp
+++ b/contrib/openddlparser/code/OpenDDLParser.cpp
@@ -74,12 +74,11 @@ const char *getTypeToken(Value::ValueType type) {
return Grammar::PrimitiveTypeToken[(size_t)type];
}
-static void logInvalidTokenError(const char *in, const std::string &exp, OpenDDLParser::logCallback callback) {
- if (callback) {
- std::string full(in);
- std::string part(full.substr(0, 50));
+static void logInvalidTokenError(const std::string &in, const std::string &exp, OpenDDLParser::logCallback callback) {
+ if (callback) {\
+ std::string part(in.substr(0, 50));
std::stringstream stream;
- stream << "Invalid token \"" << *in << "\" "
+ stream << "Invalid token \"" << in << "\" "
<< "(expected \"" << exp << "\") "
<< "in: \"" << part << "\"";
callback(ddl_error_msg, stream.str());
@@ -306,7 +305,7 @@ char *OpenDDLParser::parseHeader(char *in, char *end) {
}
if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) {
- logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback);
+ logInvalidTokenError(std::string(in, end), Grammar::ClosePropertyToken, m_logCallback);
return nullptr;
}
@@ -355,8 +354,7 @@ char *OpenDDLParser::parseStructure(char *in, char *end) {
++in;
}
} else {
- ++in;
- logInvalidTokenError(in, std::string(Grammar::OpenBracketToken), m_logCallback);
+ logInvalidTokenError(std::string(in, end), std::string(Grammar::OpenBracketToken), m_logCallback);
error = true;
return nullptr;
}
@@ -427,7 +425,7 @@ char *OpenDDLParser::parseStructureBody(char *in, char *end, bool &error) {
in = lookForNextToken(in, end);
if (in == end || *in != '}') {
- logInvalidTokenError(in == end ? "" : in, std::string(Grammar::CloseBracketToken), m_logCallback);
+ logInvalidTokenError(std::string(in, end), std::string(Grammar::CloseBracketToken), m_logCallback);
return nullptr;
} else {
//in++;

29
CVE-2024-48425.patch
View File

@ -1,29 +0,0 @@
From ecdf8d24b85367b22ba353b4f82299d4af7f1f97 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Mon, 7 Oct 2024 10:30:45 +0200
Subject: [PATCH] SplitLargeMeshes: Fix crash (#5799)
- Fix nullptr access when rootnode of the scene is a nullptr. This can happen even if the scene stores any kind of meshes. closes https://github.com/assimp/assimp/issues/5791
---
code/PostProcessing/SplitLargeMeshes.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/code/PostProcessing/SplitLargeMeshes.cpp b/code/PostProcessing/SplitLargeMeshes.cpp
index 3bee28521..cb9727651 100644
--- a/code/PostProcessing/SplitLargeMeshes.cpp
+++ b/code/PostProcessing/SplitLargeMeshes.cpp
@@ -100,6 +100,11 @@ void SplitLargeMeshesProcess_Triangle::SetupProperties( const Importer* pImp) {
// ------------------------------------------------------------------------------------------------
// Update a node after some meshes have been split
void SplitLargeMeshesProcess_Triangle::UpdateNode(aiNode* pcNode, const std::vector<std::pair<aiMesh*, unsigned int> >& avList) {
+ if (pcNode == nullptr) {
+ ASSIMP_LOG_WARN("UpdateNode skipped, nullptr detected.");
+ return;
+ }
+
// for every index in out list build a new entry
std::vector<unsigned int> aiEntries;
aiEntries.reserve(pcNode->mNumMeshes + 1);
--
2.33.0

196
CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch
View File

@ -1,196 +0,0 @@
From d7cde433679a6e21e0a5f22e54ea0951783503fe Mon Sep 17 00:00:00 2001
From: Kim Kulling <kim.kullingk@draeger.com>
Date: Mon, 2 Oct 2023 10:24:43 +0200
Subject: [PATCH] Fix: Add check for invalid input argument
---
code/AssetLib/MD5/MD5Parser.cpp | 10 +++---
code/AssetLib/MD5/MD5Parser.h | 62 ++++++++++++++++++---------------
2 files changed, 38 insertions(+), 34 deletions(-)
diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp
index 7d0b41c24a..8da30e28f7 100644
--- a/code/AssetLib/MD5/MD5Parser.cpp
+++ b/code/AssetLib/MD5/MD5Parser.cpp
@@ -3,7 +3,7 @@
Open Asset Import Library (assimp)
---------------------------------------------------------------------------
-Copyright (c) 2006-2022, assimp team
+Copyright (c) 2006-2023, assimp team
All rights reserved.
@@ -87,7 +87,7 @@ MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) : buffer(_buffer), b
// ------------------------------------------------------------------------------------------------
// Report error to the log stream
-/*static*/ AI_WONT_RETURN void MD5Parser::ReportError(const char *error, unsigned int line) {
+AI_WONT_RETURN void MD5Parser::ReportError(const char *error, unsigned int line) {
char szBuffer[1024];
::ai_snprintf(szBuffer, 1024, "[MD5] Line %u: %s", line, error);
throw DeadlyImportError(szBuffer);
@@ -95,7 +95,7 @@ MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) : buffer(_buffer), b
// ------------------------------------------------------------------------------------------------
// Report warning to the log stream
-/*static*/ void MD5Parser::ReportWarning(const char *warn, unsigned int line) {
+void MD5Parser::ReportWarning(const char *warn, unsigned int line) {
char szBuffer[1024];
::snprintf(szBuffer, sizeof(szBuffer), "[MD5] Line %u: %s", line, warn);
ASSIMP_LOG_WARN(szBuffer);
@@ -122,8 +122,8 @@ void MD5Parser::ParseHeader() {
// print the command line options to the console
// FIX: can break the log length limit, so we need to be careful
char *sz = buffer;
- while (!IsLineEnd(*buffer++))
- ;
+ while (!IsLineEnd(*buffer++));
+
ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz))));
SkipSpacesAndLineEnd();
}
diff --git a/code/AssetLib/MD5/MD5Parser.h b/code/AssetLib/MD5/MD5Parser.h
index ad7367e2ab..9b29fbe851 100644
--- a/code/AssetLib/MD5/MD5Parser.h
+++ b/code/AssetLib/MD5/MD5Parser.h
@@ -2,8 +2,7 @@
Open Asset Import Library (assimp)
----------------------------------------------------------------------
-Copyright (c) 2006-2022, assimp team
-
+Copyright (c) 2006-2023, assimp team
All rights reserved.
@@ -93,7 +92,7 @@ struct Section {
std::string mName;
//! For global elements: the value of the element as string
- //! Iif !length() the section is not a global element
+ //! if !length() the section is not a global element
std::string mGlobalValue;
};
@@ -185,7 +184,7 @@ using FrameList = std::vector<FrameDesc>;
*/
struct VertexDesc {
VertexDesc() AI_NO_EXCEPT
- : mFirstWeight(0), mNumWeights(0) {
+ : mFirstWeight(0), mNumWeights(0) {
// empty
}
@@ -349,62 +348,61 @@ class MD5Parser {
*/
MD5Parser(char* buffer, unsigned int fileSize);
-
// -------------------------------------------------------------------
/** Report a specific error message and throw an exception
* @param error Error message to be reported
* @param line Index of the line where the error occurred
*/
- AI_WONT_RETURN static void ReportError (const char* error, unsigned int line) AI_WONT_RETURN_SUFFIX;
+ AI_WONT_RETURN static void ReportError(const char* error, unsigned int line) AI_WONT_RETURN_SUFFIX;
// -------------------------------------------------------------------
/** Report a specific warning
* @param warn Warn message to be reported
* @param line Index of the line where the error occurred
*/
- static void ReportWarning (const char* warn, unsigned int line);
-
+ static void ReportWarning(const char* warn, unsigned int line);
+ // -------------------------------------------------------------------
+ /** Report a specific error
+ * @param error Error message to be reported
+ */
AI_WONT_RETURN void ReportError (const char* error) AI_WONT_RETURN_SUFFIX;
- void ReportWarning (const char* warn) {
- return ReportWarning(warn, lineNumber);
- }
+ // -------------------------------------------------------------------
+ /** Report a specific warning
+ * @param error Warn message to be reported
+ */
+ void ReportWarning (const char* warn);
//! List of all sections which have been read
SectionList mSections;
private:
- // -------------------------------------------------------------------
- /** Parses a file section. The current file pointer must be outside
- * of a section.
- * @param out Receives the section data
- * @return true if the end of the file has been reached
- * @throws ImportErrorException if an error occurs
- */
bool ParseSection(Section& out);
-
- // -------------------------------------------------------------------
- /** Parses the file header
- * @throws ImportErrorException if an error occurs
- */
void ParseHeader();
-
bool SkipLine(const char* in, const char** out);
bool SkipLine( );
bool SkipSpacesAndLineEnd( const char* in, const char** out);
bool SkipSpacesAndLineEnd();
bool SkipSpaces();
+private:
char* buffer;
char* bufferEnd;
unsigned int fileSize;
unsigned int lineNumber;
};
+// -------------------------------------------------------------------
+inline void MD5Parser::ReportWarning (const char* warn) {
+ return ReportWarning(warn, lineNumber);
+}
+
+// -------------------------------------------------------------------
inline void MD5Parser::ReportError(const char* error) {
ReportError(error, lineNumber);
}
+
// -------------------------------------------------------------------
inline bool MD5Parser::SkipLine(const char* in, const char** out) {
++lineNumber;
@@ -418,18 +416,24 @@ inline bool MD5Parser::SkipLine( ) {
// -------------------------------------------------------------------
inline bool MD5Parser::SkipSpacesAndLineEnd( const char* in, const char** out) {
- bool bHad = false;
- bool running = true;
+ if (in == bufferEnd) {
+ *out = in;
+ return false;
+ }
+
+ bool bHad = false, running = true;
while (running) {
if( *in == '\r' || *in == '\n') {
- // we open files in binary mode, so there could be \r\n sequences ...
+ // we open files in binary mode, so there could be \r\n sequences ...
if (!bHad) {
bHad = true;
++lineNumber;
}
+ } else if (*in == '\t' || *in == ' ') {
+ bHad = false;
+ } else {
+ break;
}
- else if (*in == '\t' || *in == ' ')bHad = false;
- else break;
++in;
if (in == bufferEnd) {
break;

39
CVE-2024-53425.patch
View File

@ -1,39 +0,0 @@
From ecc8a1c8695560df108d6adc00b3d7b1ba15df9f Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Tue, 17 Dec 2024 19:57:54 +0200
Subject: [PATCH] Fix buffer overflow in MD5Parser::SkipSpacesAndLineEnd
(#5921)
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
code/AssetLib/MD5/MD5Parser.cpp | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp
index 2de8d5033c..c5f108586e 100644
--- a/code/AssetLib/MD5/MD5Parser.cpp
+++ b/code/AssetLib/MD5/MD5Parser.cpp
@@ -115,14 +115,18 @@ void MD5Parser::ParseHeader() {
ReportError("MD5 version tag is unknown (10 is expected)");
}
SkipLine();
- if (buffer == bufferEnd) {
- return;
- }
// print the command line options to the console
- // FIX: can break the log length limit, so we need to be careful
char *sz = buffer;
- while (!IsLineEnd(*buffer++));
+ while (buffer < bufferEnd) {
+ if (IsLineEnd(*buffer++)) {
+ break;
+ }
+ }
+
+ if (buffer == bufferEnd) {
+ return;
+ }
ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz))));
SkipSpacesAndLineEnd();

29
CVE-2025-2151.patch
View File

@ -1,29 +0,0 @@
From d2c6e64a1122884570caf4aaa589d810f5351f28 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Thu, 13 Mar 2025 10:17:43 +0100
Subject: [PATCH] Fix: Avoid override in line parsing (#6048)
Origin: https://github.com/assimp/assimp/commit/d2c6e64a1122884570caf4aaa589d810f5351f28
* Fix: Avoid override in line parsing
- closes https://github.com/assimp/assimp/issues/6026
* Update ParsingUtils.h
---
include/assimp/ParsingUtils.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/assimp/ParsingUtils.h b/include/assimp/ParsingUtils.h
index f5908ee245..9882cf1148 100644
--- a/include/assimp/ParsingUtils.h
+++ b/include/assimp/ParsingUtils.h
@@ -167,7 +167,7 @@ AI_FORCE_INLINE bool GetNextLine(const char_t *&buffer, char_t out[BufferSize])
}
*_out = (char_t)'\0';
- while (IsLineEnd(*buffer) && '\0' != *buffer) {
+ while (IsLineEnd(*buffer) && '\0' != *buffer && buffer != end) {
++buffer;
}

26
CVE-2025-3015.patch
View File

@ -1,26 +0,0 @@
From 7c705fde418d68cca4e8eff56be01b2617b0d6fe Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Wed, 12 Mar 2025 21:12:02 +0100
Subject: [PATCH] ASE: Fix possible out of bound access. (#6045)
---
code/AssetLib/ASE/ASELoader.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp
index 4617c9e..a622bb0 100644
--- a/code/AssetLib/ASE/ASELoader.cpp
+++ b/code/AssetLib/ASE/ASELoader.cpp
@@ -730,6 +730,10 @@ void ASEImporter::BuildUniqueRepresentation(ASE::Mesh &mesh) {
unsigned int iCurrent = 0, fi = 0;
for (std::vector<ASE::Face>::iterator i = mesh.mFaces.begin(); i != mesh.mFaces.end(); ++i, ++fi) {
for (unsigned int n = 0; n < 3; ++n, ++iCurrent) {
+ const uint32_t curIndex = (*i).mIndices[n];
+ if (curIndex >= mesh.mPositions.size()) {
+ throw DeadlyImportError("ASE: Invalid vertex index in face ", fi, ".");
+ }
mPositions[iCurrent] = mesh.mPositions[(*i).mIndices[n]];
// add texture coordinates
--
2.46.0

38
CVE-2025-3016.patch
View File

@ -1,38 +0,0 @@
From 5d2a7482312db2e866439a8c05a07ce1e718bed1 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Wed, 12 Mar 2025 21:29:33 +0100
Subject: [PATCH] MDL: Limit max texture sizes
- closes https://github.com/assimp/assimp/issues/6022
---
code/AssetLib/MDL/MDLMaterialLoader.cpp | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp
index 3d39fa6..1bff785 100644
--- a/code/AssetLib/MDL/MDLMaterialLoader.cpp
+++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp
@@ -210,6 +210,8 @@ void MDLImporter::CreateTexture_3DGS_MDL4(const unsigned char *szData,
return;
}
+static const uint32_t MaxTextureSize = 4096;
+
// ------------------------------------------------------------------------------------------------
// Load color data of a texture and convert it to our output format
void MDLImporter::ParseTextureColorData(const unsigned char *szData,
@@ -220,6 +222,11 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
// allocate storage for the texture image
if (do_read) {
+ // check for max texture sizes
+ if (pcNew->mWidth > MaxTextureSize || pcNew->mHeight > MaxTextureSize) {
+ throw DeadlyImportError("Invalid MDL file. A texture is too big.");
+ }
+
if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) {
throw DeadlyImportError("Invalid MDL file. A texture is too big.");
}
--
2.46.0

28
CVE-2025-3159.patch
View File

@ -1,28 +0,0 @@
From e8a6286542924e628e02749c4f5ac4f91fdae71b Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Thu, 13 Mar 2025 16:23:36 +0100
Subject: [PATCH] ASE: Use correct vertex container (#6051)
- closes https://github.com/assimp/assimp/issues/6024
---
code/AssetLib/ASE/ASEParser.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code/AssetLib/ASE/ASEParser.cpp b/code/AssetLib/ASE/ASEParser.cpp
index c43eb42..f697861 100644
--- a/code/AssetLib/ASE/ASEParser.cpp
+++ b/code/AssetLib/ASE/ASEParser.cpp
@@ -1382,8 +1382,8 @@ void Parser::ParseLV4MeshBonesVertices(unsigned int iNumVertices, ASE::Mesh &mes
if (TokenMatch(filePtr, "MESH_BONE_VERTEX", 16)) {
// read the vertex index
unsigned int iIndex = strtoul10(filePtr, &filePtr);
- if (iIndex >= mesh.mPositions.size()) {
- iIndex = (unsigned int)mesh.mPositions.size() - 1;
+ if (iIndex >= mesh.mBoneVertices.size()) {
+ iIndex = (unsigned int)mesh.mBoneVertices.size() - 1;
LogWarning("Bone vertex index is out of bounds. Using the largest valid "
"bone vertex index instead");
}
--
2.41.0

29
CVE-2025-3160.patch
View File

@ -1,29 +0,0 @@
From a0993658f40d8e13ff5823990c30b43c82a5daf0 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Thu, 13 Mar 2025 10:24:20 +0100
Subject: [PATCH] Bugfix: Fix possible nullptr dereferencing
- closes https://github.com/assimp/assimp/issues/6025
---
code/Common/SceneCombiner.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/code/Common/SceneCombiner.cpp b/code/Common/SceneCombiner.cpp
index 0188f5d..4a9c6eb 100644
--- a/code/Common/SceneCombiner.cpp
+++ b/code/Common/SceneCombiner.cpp
@@ -95,6 +95,11 @@ inline void PrefixString(aiString &string, const char *prefix, unsigned int len)
// ------------------------------------------------------------------------------------------------
// Add node identifiers to a hashing set
void SceneCombiner::AddNodeHashes(aiNode *node, std::set<unsigned int> &hashes) {
+ if (node == nullptr) {
+ ASSIMP_LOG_VERBOSE_DEBUG("Pointer to aiNode is nullptr.");
+ return;
+ }
+
// Add node name to hashing set if it is non-empty - empty nodes are allowed
// and they can't have any anims assigned so its absolutely safe to duplicate them.
if (node->mName.length) {
--
2.41.0

34
assimp.spec
View File

@ -1,6 +1,6 @@
Name: assimp Name: assimp
Version: 5.3.1 Version: 5.3.1
Release: 9 Release: 4
Summary: Library to load and process various 3D model formats into applications. Summary: Library to load and process various 3D model formats into applications.
License: BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0 License: BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0
URL: http://www.assimp.org/ URL: http://www.assimp.org/
@ -14,17 +14,6 @@ Source0: assimp-%{version}-free.tar.xz
Patch01: CVE-2024-40724-Fix-out-of-bound-access-5651.patch Patch01: CVE-2024-40724-Fix-out-of-bound-access-5651.patch
Patch02: CVE-2024-45679.patch Patch02: CVE-2024-45679.patch
Patch03: CVE-2024-48425.patch
Patch04: CVE-2024-48423-pre-Fix-leak-5762.patch
Patch05: CVE-2024-48423.patch
Patch06: CVE-2024-48424.patch
Patch07: CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch
Patch08: CVE-2024-53425.patch
Patch09: CVE-2025-2151.patch
Patch10: CVE-2025-3015.patch
Patch11: CVE-2025-3016.patch
Patch12: CVE-2025-3159.patch
Patch13: CVE-2025-3160.patch
BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel
BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib) BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib)
@ -104,27 +93,6 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass
%{python3_sitelib}/pyassimp %{python3_sitelib}/pyassimp
%changelog %changelog
* Fri Apr 4 2025 changtao <changtao@kylinos.cn> - 5.3.1-9
- Type:CVE
- CVE:CVE-2025-3160 CVE-2025-3159
- SUG:NA
- DESC:fix CVE-2025-3160 CVE-2025-3159
* Tue Apr 1 2025 changtao <changtao@kylinos.cn> - 5.3.1-8
- Type:CVE
- CVE:CVE-2025-3015 CVE-2025-3016
- SUG:NA
- DESC:fix CVE-2025-3015 CVE-2025-3016
* Thu Mar 20 2025 wangkai <13474090681@163.com> - 5.3.1-7
- Fix CVE-2025-2151
* Tue Feb 11 2025 yaoxin <1024769339@qq.com> - 5.3.1-6
- Fix CVE-2024-48423,CVE-2024-48424 and CVE-2024-53425
* Sat Oct 26 2024 liningjie <liningjie@xfusion.com> - 5.3.1-5
- Fix CVE-2024-48425
* Thu Sep 19 2024 wangkai <13474090681@163.com> - 5.3.1-4 * Thu Sep 19 2024 wangkai <13474090681@163.com> - 5.3.1-4
- fix CVE-2024-45679 - fix CVE-2024-45679