From ffc08629773ac47991e13f2f00eff9a8c46c6f22 Mon Sep 17 00:00:00 2001 From: Kelsi Date: Wed, 6 May 2026 09:57:37 -0700 Subject: [PATCH] fix(wcp): cap readInfo file-list parse at 1M entries readInfo iterated the info JSON's files array without bounding; a malicious WCP could declare more entries than the header fileCount allows and grow info.files unbounded. Cap to 1M matching the header check so both readInfo callers and --list-wcp/--info-wcp stay bounded. --- tools/editor/content_pack.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/editor/content_pack.cpp b/tools/editor/content_pack.cpp index 89a46b01..17cc19f4 100644 --- a/tools/editor/content_pack.cpp +++ b/tools/editor/content_pack.cpp @@ -288,7 +288,12 @@ bool ContentPacker::readInfo(const std::string& wcpPath, ContentPackInfo& info) info.mapId = j.value("mapId", 9000u); info.files.clear(); if (j.contains("files") && j["files"].is_array()) { + // Same cap as the header fileCount — info JSON could declare + // more entries than the header, so this defends both readInfo + // callers and the listing CLI from runaway memory use. + constexpr size_t kMaxFiles = 1'000'000; for (const auto& jf : j["files"]) { + if (info.files.size() >= kMaxFiles) break; ContentPackInfo::FileEntry fe; fe.path = jf.value("path", ""); fe.size = jf.value("size", 0ULL);