From e246ffd38c31d21cfa671ea9b32b4c7cac225199 Mon Sep 17 00:00:00 2001 From: mohammadmseet-hue Date: Sat, 4 Apr 2026 06:31:35 +0200 Subject: [PATCH] fix: bounds checks for MaterialChunk shaderSize=0 and Ktx1Bundle constructor overflow MaterialChunk::getTextShader: Add early return when shaderSize is 0 to prevent out-of-bounds write of null terminator at line 284. The bounds checks added in commit 92dc063a protect the loop body but not the unconditional null-terminator write after the loop. Ktx1Bundle 3-argument constructor: Add the same 64-bit overflow check that the deserialization constructor received in commit 16a70473. The multiplication numMipLevels * arrayLength * mNumCubeFaces can overflow uint32_t, causing sizes vector to be undersized. --- libs/filaflat/src/MaterialChunk.cpp | 3 +++ libs/image/src/Ktx1Bundle.cpp | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libs/filaflat/src/MaterialChunk.cpp b/libs/filaflat/src/MaterialChunk.cpp index c4689748f5d2..455265fc01bc 100644 --- a/libs/filaflat/src/MaterialChunk.cpp +++ b/libs/filaflat/src/MaterialChunk.cpp @@ -186,6 +186,9 @@ bool MaterialChunk::getTextShader(Unflattener unflattener, if (!unflattener.read(&shaderSize)){ return false; } + if (shaderSize == 0) { + return false; + } // Read how many lines there are. uint32_t lineCount = 0; diff --git a/libs/image/src/Ktx1Bundle.cpp b/libs/image/src/Ktx1Bundle.cpp index bebc04328898..d0b293f3b377 100644 --- a/libs/image/src/Ktx1Bundle.cpp +++ b/libs/image/src/Ktx1Bundle.cpp @@ -106,7 +106,10 @@ Ktx1Bundle::Ktx1Bundle(uint32_t numMipLevels, uint32_t arrayLength, bool isCubem mNumMipLevels = numMipLevels; mArrayLength = arrayLength; mNumCubeFaces = isCubemap ? 6 : 1; - mBlobs->sizes.resize(numMipLevels * arrayLength * mNumCubeFaces); + uint64_t const totalBlobs = (uint64_t)numMipLevels * arrayLength * mNumCubeFaces; + FILAMENT_CHECK_POSTCONDITION(totalBlobs <= (uint64_t)std::numeric_limits::max()) + << "KTX dimensions overflow"; + mBlobs->sizes.resize((uint32_t)totalBlobs); } Ktx1Bundle::Ktx1Bundle(uint8_t const* bytes, uint32_t nbytes) :