Fix buffer overrun if header specifies more vertices than the file really has (#53)

RamonArguelles · web-flow · commit 0950d0344326 · 2022-02-04T18:15:42.000-08:00
diff --git a/source/tinyply.h b/source/tinyply.h
@@ -279,8 +279,8 @@ struct PlyFile::PlyFileImpl
         const std::vector<std::string> propertyKeys,
         const Type type, const size_t count, const uint8_t * data, const Type listType, const size_t listCount);
 
-    size_t read_property_binary(const size_t & stride, void * dest, size_t & destOffset, std::istream & is) noexcept;
-    size_t read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, std::istream & is);
+    size_t read_property_binary(const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is);
+    size_t read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is);
 
     std::vector<std::vector<PropertyLookup>> make_property_lookup_table();
 
@@ -429,15 +429,25 @@ void PlyFile::PlyFileImpl::read_header_property(std::istream & is)
     elements.back().properties.emplace_back(is);
 }
 
-size_t PlyFile::PlyFileImpl::read_property_binary(const size_t & stride, void * dest, size_t & destOffset, std::istream & is) noexcept
+size_t PlyFile::PlyFileImpl::read_property_binary(const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is)
 {
+    if (destOffset + stride > destSize)
+    {
+        throw std::runtime_error("unexpected EOF. malformed file?");
+    }
+
     destOffset += stride;
     is.read((char*)dest, stride);
     return stride;
 }
 
-size_t PlyFile::PlyFileImpl::read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, std::istream & is)
+size_t PlyFile::PlyFileImpl::read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is)
 {
+    if (destOffset + stride > destSize)
+    {
+        throw std::runtime_error("unexpected EOF. malformed file?");
+    }
+
     destOffset += stride;
     switch (t)
     {
@@ -810,7 +820,7 @@ void PlyFile::PlyFileImpl::add_properties_to_element(const std::string & element
 
 void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)
 {
-    std::function<void(PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, std::istream & is)> read;
+    std::function<void(PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, size_t destSize, std::istream & is)> read;
     std::function<size_t(PropertyLookup & f, const PlyProperty & p, std::istream & is)> skip;
 
     const auto start = is.tellg();
@@ -846,14 +856,14 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)
 
     if (isBinary)
     {
-        read = [this, &listSize, &dummyCount, &read_list_binary](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, std::istream & _is) noexcept
+        read = [this, &listSize, &dummyCount, &read_list_binary](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, size_t destSize, std::istream & _is)
         {
             if (!p.isList)
             {
-                return read_property_binary(f.prop_stride, dest + destOffset, destOffset, _is);
+                return read_property_binary(f.prop_stride, dest + destOffset, destOffset, destSize, _is);
             }
             read_list_binary(p.listType, &listSize, dummyCount, f.list_stride, _is); // the list size
-            return read_property_binary(f.prop_stride * listSize, dest + destOffset, destOffset, _is); // properties in list
+            return read_property_binary(f.prop_stride * listSize, dest + destOffset, destOffset, destSize, _is); // properties in list
         };
         skip = [this, &listSize, &dummyCount, &read_list_binary](PropertyLookup & f, const PlyProperty & p, std::istream & _is) noexcept
         {
@@ -870,18 +880,18 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)
     }
     else
     {
-        read = [this, &listSize, &dummyCount](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, std::istream & _is) noexcept
+        read = [this, &listSize, &dummyCount](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, size_t destSize, std::istream & _is)
         {
             if (!p.isList)
             {
-                read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, _is);
+                read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, destSize, _is);
             }
             else
             {
-                read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, _is); // the list size
+                read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, sizeof(listSize), _is); // the list size
                 for (size_t i = 0; i < listSize; ++i)
                 {
-                    read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, _is);
+                    read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, destOffset, _is);
                 }
             }
         };
@@ -890,7 +900,8 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)
             skip_ascii_buffer.clear();
             if (p.isList)
             {
-                read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, _is); // the list size (does not count for memory alloc)
+                dummyCount = 0;
+                read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, sizeof(listSize), _is); // the list size (does not count for memory alloc)
                 for (size_t i = 0; i < listSize; ++i) _is >> skip_ascii_buffer; // properties in list
                 return listSize * f.prop_stride;
             }
@@ -929,7 +940,8 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)
                     }
                     else
                     {
-                        read(lookup, property, helper->data->buffer.get(), helper->cursor->byteOffset, is);
+                        const size_t destSize = helper->data->buffer.size_bytes();
+                        read(lookup, property, helper->data->buffer.get(), helper->cursor->byteOffset, destSize, is);
                     }
                 }
                 else

Original file line number	Diff line number	Diff line change
`@@ -279,8 +279,8 @@ struct PlyFile::PlyFileImpl`
`279`	`279`	`const std::vector<std::string> propertyKeys,`
`280`	`280`	`const Type type, const size_t count, const uint8_t * data, const Type listType, const size_t listCount);`
`281`	`281`
`282`		`- size_t read_property_binary(const size_t & stride, void * dest, size_t & destOffset, std::istream & is) noexcept;`
`283`		`- size_t read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, std::istream & is);`
	`282`	`+ size_t read_property_binary(const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is);`
	`283`	`+ size_t read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is);`
`284`	`284`
`285`	`285`	`std::vector<std::vector<PropertyLookup>> make_property_lookup_table();`
`286`	`286`
`@@ -429,15 +429,25 @@ void PlyFile::PlyFileImpl::read_header_property(std::istream & is)`
`429`	`429`	`elements.back().properties.emplace_back(is);`
`430`	`430`	`}`
`431`	`431`
`432`		`-size_t PlyFile::PlyFileImpl::read_property_binary(const size_t & stride, void * dest, size_t & destOffset, std::istream & is) noexcept`
	`432`	`+size_t PlyFile::PlyFileImpl::read_property_binary(const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is)`
`433`	`433`	`{`
	`434`	`+ if (destOffset + stride > destSize)`
	`435`	`+ {`
	`436`	`+ throw std::runtime_error("unexpected EOF. malformed file?");`
	`437`	`+ }`
	`438`	`+`
`434`	`439`	`destOffset += stride;`
`435`	`440`	`is.read((char*)dest, stride);`
`436`	`441`	`return stride;`
`437`	`442`	`}`
`438`	`443`
`439`		`-size_t PlyFile::PlyFileImpl::read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, std::istream & is)`
	`444`	`+size_t PlyFile::PlyFileImpl::read_property_ascii(const Type & t, const size_t & stride, void * dest, size_t & destOffset, size_t destSize, std::istream & is)`
`440`	`445`	`{`
	`446`	`+ if (destOffset + stride > destSize)`
	`447`	`+ {`
	`448`	`+ throw std::runtime_error("unexpected EOF. malformed file?");`
	`449`	`+ }`
	`450`	`+`
`441`	`451`	`destOffset += stride;`
`442`	`452`	`switch (t)`
`443`	`453`	`{`
`@@ -810,7 +820,7 @@ void PlyFile::PlyFileImpl::add_properties_to_element(const std::string & element`
`810`	`820`
`811`	`821`	`void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)`
`812`	`822`	`{`
`813`		`- std::function<void(PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, std::istream & is)> read;`
	`823`	`+ std::function<void(PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, size_t destSize, std::istream & is)> read;`
`814`	`824`	`std::function<size_t(PropertyLookup & f, const PlyProperty & p, std::istream & is)> skip;`
`815`	`825`
`816`	`826`	`const auto start = is.tellg();`
`@@ -846,14 +856,14 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)`
`846`	`856`
`847`	`857`	`if (isBinary)`
`848`	`858`	`{`
`849`		`- read = [this, &listSize, &dummyCount, &read_list_binary](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, std::istream & _is) noexcept`
	`859`	`+ read = [this, &listSize, &dummyCount, &read_list_binary](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, size_t destSize, std::istream & _is)`
`850`	`860`	`{`
`851`	`861`	`if (!p.isList)`
`852`	`862`	`{`
`853`		`- return read_property_binary(f.prop_stride, dest + destOffset, destOffset, _is);`
	`863`	`+ return read_property_binary(f.prop_stride, dest + destOffset, destOffset, destSize, _is);`
`854`	`864`	`}`
`855`	`865`	`read_list_binary(p.listType, &listSize, dummyCount, f.list_stride, _is); // the list size`
`856`		`- return read_property_binary(f.prop_stride * listSize, dest + destOffset, destOffset, _is); // properties in list`
	`866`	`+ return read_property_binary(f.prop_stride * listSize, dest + destOffset, destOffset, destSize, _is); // properties in list`
`857`	`867`	`};`
`858`	`868`	`skip = [this, &listSize, &dummyCount, &read_list_binary](PropertyLookup & f, const PlyProperty & p, std::istream & _is) noexcept`
`859`	`869`	`{`
`@@ -870,18 +880,18 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)`
`870`	`880`	`}`
`871`	`881`	`else`
`872`	`882`	`{`
`873`		`- read = [this, &listSize, &dummyCount](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, std::istream & _is) noexcept`
	`883`	`+ read = [this, &listSize, &dummyCount](PropertyLookup & f, const PlyProperty & p, uint8_t * dest, size_t & destOffset, size_t destSize, std::istream & _is)`
`874`	`884`	`{`
`875`	`885`	`if (!p.isList)`
`876`	`886`	`{`
`877`		`- read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, _is);`
	`887`	`+ read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, destSize, _is);`
`878`	`888`	`}`
`879`	`889`	`else`
`880`	`890`	`{`
`881`		`- read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, _is); // the list size`
	`891`	`+ read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, sizeof(listSize), _is); // the list size`
`882`	`892`	`for (size_t i = 0; i < listSize; ++i)`
`883`	`893`	`{`
`884`		`- read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, _is);`
	`894`	`+ read_property_ascii(p.propertyType, f.prop_stride, dest + destOffset, destOffset, destOffset, _is);`
`885`	`895`	`}`
`886`	`896`	`}`
`887`	`897`	`};`
`@@ -890,7 +900,8 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)`
`890`	`900`	`skip_ascii_buffer.clear();`
`891`	`901`	`if (p.isList)`
`892`	`902`	`{`
`893`		`- read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, _is); // the list size (does not count for memory alloc)`
	`903`	`+ dummyCount = 0;`
	`904`	`+ read_property_ascii(p.listType, f.list_stride, &listSize, dummyCount, sizeof(listSize), _is); // the list size (does not count for memory alloc)`
`894`	`905`	`for (size_t i = 0; i < listSize; ++i) _is >> skip_ascii_buffer; // properties in list`
`895`	`906`	`return listSize * f.prop_stride;`
`896`	`907`	`}`
`@@ -929,7 +940,8 @@ void PlyFile::PlyFileImpl::parse_data(std::istream & is, bool firstPass)`
`929`	`940`	`}`
`930`	`941`	`else`
`931`	`942`	`{`
`932`		`- read(lookup, property, helper->data->buffer.get(), helper->cursor->byteOffset, is);`
	`943`	`+ const size_t destSize = helper->data->buffer.size_bytes();`
	`944`	`+ read(lookup, property, helper->data->buffer.get(), helper->cursor->byteOffset, destSize, is);`
`933`	`945`	`}`
`934`	`946`	`}`
`935`	`947`	`else`