diff --git a/changelog.txt b/changelog.txt index 66f8d8b1..5ee057f4 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,9 @@ +v2026.5 May 22nd, 2026 + +Fixes + gltf + - add input validation to NGP extension to prevent memory corruption vulnerabilities + v2026.3 March 6th, 2026 General Changes: diff --git a/gltf/src/gltfImport.cpp b/gltf/src/gltfImport.cpp index 481199e7..eeafe592 100644 --- a/gltf/src/gltfImport.cpp +++ b/gltf/src/gltfImport.cpp @@ -2721,12 +2721,32 @@ importNgpExtension(const tinygltf::Value& ngp, NgpData& ngpData) if (val.Type() == tinygltf::STRING_TYPE) { std::vector data; unpackBase64String(val.Get(), false, data); - dst.resize(data.size() / sizeof(float)); - - if (d1 == 0 || d2 == 0) { - memcpy(dst.data(), data.data(), data.size()); - } else { + std::size_t numFloats = data.size() / sizeof(float); + + if (d1 != 0 && d2 != 0) { + std::size_t expectedFloats = d1 * d2; + if (numFloats < expectedFloats) { + TF_WARN("NGP weight data '%s' has %zu floats, expected %zu (d1=%zu, d2=%zu). " + "Skipping.", + name, + numFloats, + expectedFloats, + d1, + d2); + return; + } + dst.resize(expectedFloats); unpackMLPWeight(reinterpret_cast(data.data()), dst.data(), d1, d2); + } else { + if (numFloats == 0) { + TF_WARN("NGP field '%s' decoded to %zu bytes, not enough for a single " + "float. Skipping.", + name, + data.size()); + return; + } + dst.resize(numFloats); + memcpy(dst.data(), data.data(), numFloats * sizeof(float)); } } }; diff --git a/version.json b/version.json index 80d9b842..40408be0 100644 --- a/version.json +++ b/version.json @@ -1,3 +1,3 @@ { - "version": "2026.03" + "version": "2026.05" }