fix(wom): reject load on out-of-range string lengths

Same silent-corruption pattern as WoB: model.name had no length check at all (would happily allocate 64KB), and texture paths silently zeroed pathLen on overflow leaving the actual bytes on disk to shift the rest of the file. Now reject with LOG_ERROR.
2026-05-07 01:23:52 +00:00 · 2026-05-06 09:24:55 -07:00 · 2026-05-06 09:24:55 -07:00 · bbd2e0502b
commit bbd2e0502b
parent d818ff382c
1 changed files with 14 additions and 2 deletions
--- a/src/pipeline/wowee_model.cpp
+++ b/src/pipeline/wowee_model.cpp
@ -62,6 +62,12 @@ WoweeModel WoweeModelLoader::load(const std::string& basePath) {

    uint16_t nameLen;
    f.read(reinterpret_cast<char*>(&nameLen), 2);
+    // Save caps name at 1024; reject anything longer to keep load
+    // alignment with future-version files predictable.
+    if (nameLen > 1024) {
+        LOG_ERROR("WOM name length rejected (", nameLen, "): ", basePath);
+        return WoweeModel{};
+    }
    model.name.resize(nameLen);
    f.read(model.name.data(), nameLen);

@ -109,8 +115,14 @@ WoweeModel WoweeModelLoader::load(const std::string& basePath) {
    for (uint32_t i = 0; i < texCount; i++) {
        uint16_t pathLen;
        f.read(reinterpret_cast<char*>(&pathLen), 2);
-        // Reject absurd path lengths (corrupted/truncated file).
-        if (pathLen > 1024) { pathLen = 0; }
+        // Same desync risk as elsewhere — pathLen=0 with the actual
+        // bytes still on disk would shift every subsequent length+data
+        // pair. Reject the whole load instead of silently dropping.
+        if (pathLen > 1024) {
+            LOG_ERROR("WOM texture path ", i, " length rejected (",
+                      pathLen, "): ", basePath);
+            return WoweeModel{};
+        }
        std::string path(pathLen, '\0');
        f.read(path.data(), pathLen);
        // Reject path-traversal — texture paths from a hostile WOM are fed