From 17f67e3ec83253254f7432f35c328934b2dac752 Mon Sep 17 00:00:00 2001 From: Kelsi Date: Wed, 6 May 2026 09:19:24 -0700 Subject: [PATCH] fix(wob): reject load on out-of-range material count MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously load silently skipped the materials block when mc > 256, leaving the file pointer right after the count — the next group's name would then read material bytes as garbage and the rest of the file would shift. Save now caps at 256 (so the asymmetry shouldn't trigger from our own writer), but a hand-crafted or future-version WoB could still hit it. --- src/pipeline/wowee_building.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/pipeline/wowee_building.cpp b/src/pipeline/wowee_building.cpp index 82f7873c..4f96b465 100644 --- a/src/pipeline/wowee_building.cpp +++ b/src/pipeline/wowee_building.cpp @@ -115,9 +115,17 @@ WoweeBuilding WoweeBuildingLoader::load(const std::string& basePath) { grp.texturePaths.push_back(tp); } - // Read material data (v1.1+) + // Read material data (v1.1+). Reject the whole load on a count + // overflow rather than silently dropping the materials and leaving + // the file pointer misaligned (next group's name would read + // material bytes as garbage). uint32_t mc = 0; - if (f.read(reinterpret_cast(&mc), 4) && mc > 0 && mc <= 256) { + if (f.read(reinterpret_cast(&mc), 4) && mc > 0) { + if (mc > 256) { + LOG_ERROR("WOB group ", gi, " material count rejected (", + mc, "): ", basePath); + return WoweeBuilding{}; + } for (uint32_t mi = 0; mi < mc; mi++) { WoweeBuilding::Material mat; uint16_t pl;