From da3003fbc44003bf4ed84be6cf9d5285f8ab36b8 Mon Sep 17 00:00:00 2001 From: TristanInSec Date: Fri, 17 Apr 2026 11:56:51 -0400 Subject: [PATCH] Add missing bounds check in RAnsDecoder::read_init The x==3 branch reads 4 bytes via mem_get_le32 but does not validate that offset >= 4 before computing buf + offset - 4. The other branches (x==1, x==2) already have their respective guards. Add the missing check to return an error when the buffer is too small. --- src/draco/compression/entropy/ans.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/draco/compression/entropy/ans.h b/src/draco/compression/entropy/ans.h index 313546fee..17318c371 100644 --- a/src/draco/compression/entropy/ans.h +++ b/src/draco/compression/entropy/ans.h @@ -441,6 +441,9 @@ class RAnsDecoder { ans_.buf_offset = offset - 3; ans_.state = mem_get_le24(buf + offset - 3) & 0x3FFFFF; } else if (x == 3) { + if (offset < 4) { + return 1; + } ans_.buf_offset = offset - 4; ans_.state = mem_get_le32(buf + offset - 4) & 0x3FFFFFFF; } else {