From 568a14852d4bacba85756b0efe68e151b73c6b4b Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Sun, 29 Mar 2026 20:05:37 -0700
Subject: [PATCH] fix: WMO MODS parser raw memcpy without bounds check

The doodad set name read used raw memcpy(20 bytes) bypassing the safe
read<T> template that returns {} on OOB. A truncated WMO file would
read past the vector's storage. Added bounds check before the memcpy.
---
 src/pipeline/wmo_loader.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/pipeline/wmo_loader.cpp b/src/pipeline/wmo_loader.cpp
index 3e3a7e19..4be2c521 100644
--- a/src/pipeline/wmo_loader.cpp
+++ b/src/pipeline/wmo_loader.cpp
@@ -315,10 +315,13 @@ WMOModel WMOLoader::load(const std::vector<uint8_t>& wmoData) {
             }
 
             case MODS: {
-                // Doodad sets
-                uint32_t nSets = chunkSize / 32;  // Each set is 32 bytes
+                // Doodad sets: 20-byte name + 3×uint32 = 32 bytes each.
+                // Use bounds check before memcpy to avoid OOB on truncated files
+                // (the raw memcpy bypassed the safe read<T> template).
+                uint32_t nSets = chunkSize / 32;
                 for (uint32_t i = 0; i < nSets; i++) {
                     WMODoodadSet set;
+                    if (offset + 20 > wmoData.size()) break;
                     std::memcpy(set.name, &wmoData[offset], 20);
                     offset += 20;
                     set.startIndex = read<uint32_t>(wmoData, offset);