fix: WMO MODS parser raw memcpy without bounds check

The doodad set name read used raw memcpy(20 bytes) bypassing the safe read<T> template that returns {} on OOB. A truncated WMO file would read past the vector's storage. Added bounds check before the memcpy.
2026-04-16 01:03:51 +00:00 · 2026-03-29 20:05:37 -07:00 · 2026-03-29 20:05:37 -07:00 · 568a14852d
commit 568a14852d
parent b5fba65277
1 changed files with 5 additions and 2 deletions
--- a/src/pipeline/wmo_loader.cpp
+++ b/src/pipeline/wmo_loader.cpp
@ -315,10 +315,13 @@ WMOModel WMOLoader::load(const std::vector<uint8_t>& wmoData) {
            }

            case MODS: {
-                // Doodad sets
-                uint32_t nSets = chunkSize / 32;  // Each set is 32 bytes
+                // Doodad sets: 20-byte name + 3×uint32 = 32 bytes each.
+                // Use bounds check before memcpy to avoid OOB on truncated files
+                // (the raw memcpy bypassed the safe read<T> template).
+                uint32_t nSets = chunkSize / 32;
                for (uint32_t i = 0; i < nSets; i++) {
                    WMODoodadSet set;
+                    if (offset + 20 > wmoData.size()) break;
                    std::memcpy(set.name, &wmoData[offset], 20);
                    offset += 20;
                    set.startIndex = read<uint32_t>(wmoData, offset);