!85 [sync] PR-82: fix CVE-2025-3160 CVE-2025-3159

From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333

CVE-2024-45679.patch

@@ -0,0 +1,38 @@
+From e4e2c63e0c2c449cd69fb9a3269e865eb83c241d Mon Sep 17 00:00:00 2001
+From: Alexandre Avenel <alexandre.avenel@ls-vr.com>
+Date: Sat, 4 Nov 2023 10:28:19 +0100
+Subject: [PATCH] Fix heap-buffer overflow in PLY parser
+Origin: https://github.com/assimp/assimp/commit/e4e2c63e0c2c449cd69fb9a3269e865eb83c241d
+
+---
+ code/AssetLib/Ply/PlyParser.cpp | 3 ++-
+ include/assimp/IOStreamBuffer.h | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/code/AssetLib/Ply/PlyParser.cpp b/code/AssetLib/Ply/PlyParser.cpp
+index 6edba71fca..662da805ea 100644
+--- a/code/AssetLib/Ply/PlyParser.cpp
++++ b/code/AssetLib/Ply/PlyParser.cpp
+@@ -425,7 +425,8 @@ bool PLY::DOM::ParseHeader(IOStreamBuffer<char> &streamBuffer, std::vector<char>
+             break;
+         } else {
+             // ignore unknown header elements
+-            streamBuffer.getNextLine(buffer);
++            if (!streamBuffer.getNextLine(buffer))
++              return false;
+         }
+     }
+ 
+diff --git a/include/assimp/IOStreamBuffer.h b/include/assimp/IOStreamBuffer.h
+index fae480e715..47db35a957 100644
+--- a/include/assimp/IOStreamBuffer.h
++++ b/include/assimp/IOStreamBuffer.h
+@@ -287,7 +287,7 @@ static AI_FORCE_INLINE bool isEndOfCache(size_t pos, size_t cacheSize) {
+ template <class T>
+ AI_FORCE_INLINE bool IOStreamBuffer<T>::getNextLine(std::vector<T> &buffer) {
+     buffer.resize(m_cacheSize);
+-    if (isEndOfCache(m_cachePos, m_cacheSize) || 0 == m_filePos) {
++    if (m_cachePos >= m_cacheSize || 0 == m_filePos) {
+         if (!readNextBlock()) {
+             return false;
+         }

CVE-2024-48425.patch

@@ -0,0 +1,29 @@
+From ecdf8d24b85367b22ba353b4f82299d4af7f1f97 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Mon, 7 Oct 2024 10:30:45 +0200
+Subject: [PATCH] SplitLargeMeshes: Fix crash (#5799)
+
+- Fix nullptr access when rootnode of the scene is a nullptr. This can happen even if the scene stores any kind of meshes. closes https://github.com/assimp/assimp/issues/5791
+---
+ code/PostProcessing/SplitLargeMeshes.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/code/PostProcessing/SplitLargeMeshes.cpp b/code/PostProcessing/SplitLargeMeshes.cpp
+index 508a826..6c9713a 100644
+--- a/code/PostProcessing/SplitLargeMeshes.cpp
++++ b/code/PostProcessing/SplitLargeMeshes.cpp
+@@ -109,6 +109,11 @@ void SplitLargeMeshesProcess_Triangle::SetupProperties( const Importer* pImp) {
+ // Update a node after some meshes have been split
+ void SplitLargeMeshesProcess_Triangle::UpdateNode(aiNode* pcNode,
+         const std::vector<std::pair<aiMesh*, unsigned int> >& avList) {
++    if (pcNode == nullptr) {
++        ASSIMP_LOG_WARN("UpdateNode skipped, nullptr detected.");
++        return;
++    }
++
+     // for every index in out list build a new entry
+     std::vector<unsigned int> aiEntries;
+     aiEntries.reserve(pcNode->mNumMeshes + 1);
+-- 
+2.33.0
+

CVE-2025-2151.patch

@@ -0,0 +1,29 @@
+From d2c6e64a1122884570caf4aaa589d810f5351f28 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Thu, 13 Mar 2025 10:17:43 +0100
+Subject: [PATCH] Fix: Avoid override in line parsing (#6048)
+
+Origin: https://github.com/assimp/assimp/commit/d2c6e64a1122884570caf4aaa589d810f5351f28
+
+* Fix: Avoid override in line parsing
+
+- closes https://github.com/assimp/assimp/issues/6026
+
+* Update ParsingUtils.h
+---
+ include/assimp/ParsingUtils.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/assimp/ParsingUtils.h b/include/assimp/ParsingUtils.h
+index f5908ee245..9882cf1148 100644
+--- a/include/assimp/ParsingUtils.h
++++ b/include/assimp/ParsingUtils.h
+@@ -167,7 +167,7 @@ AI_FORCE_INLINE bool GetNextLine(const char_t *&buffer, char_t out[BufferSize])
+     }
+     *_out = (char_t)'\0';
+ 
+-    while (IsLineEnd(*buffer) && '\0' != *buffer) {
++    while (IsLineEnd(*buffer) && '\0' != *buffer && buffer != end) {
+         ++buffer;
+     }
+ 

CVE-2025-3015.patch

@@ -0,0 +1,26 @@
+From 7c705fde418d68cca4e8eff56be01b2617b0d6fe Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Wed, 12 Mar 2025 21:12:02 +0100
+Subject: [PATCH] ASE: Fix possible out of bound access. (#6045)
+---
+ code/AssetLib/ASE/ASELoader.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp
+index caa7089..a4372b1 100644
+--- a/code/AssetLib/ASE/ASELoader.cpp
++++ b/code/AssetLib/ASE/ASELoader.cpp
+@@ -752,6 +752,10 @@ void ASEImporter::BuildUniqueRepresentation(ASE::Mesh &mesh) {
+     unsigned int iCurrent = 0, fi = 0;
+     for (std::vector<ASE::Face>::iterator i = mesh.mFaces.begin(); i != mesh.mFaces.end(); ++i, ++fi) {
+         for (unsigned int n = 0; n < 3; ++n, ++iCurrent) {
++            const uint32_t curIndex = (*i).mIndices[n];
++             if (curIndex >= mesh.mPositions.size()) {
++                 throw DeadlyImportError("ASE: Invalid vertex index in face ", fi, ".");
++             }
+             mPositions[iCurrent] = mesh.mPositions[(*i).mIndices[n]];
+ 
+             // add texture coordinates
+-- 
+2.46.0
+

CVE-2025-3016.patch

@@ -0,0 +1,38 @@
+From 5d2a7482312db2e866439a8c05a07ce1e718bed1 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Wed, 12 Mar 2025 21:29:33 +0100
+Subject: [PATCH] MDL: Limit max texture sizes
+
+- closes https://github.com/assimp/assimp/issues/6022
+---
+ code/AssetLib/MDL/MDLMaterialLoader.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp
+index 2de43d2..8e1da65 100644
+--- a/code/AssetLib/MDL/MDLMaterialLoader.cpp
++++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp
+@@ -210,6 +210,8 @@ void MDLImporter::CreateTexture_3DGS_MDL4(const unsigned char *szData,
+     return;
+ }
+ 
++static const uint32_t MaxTextureSize = 4096;
++
+ // ------------------------------------------------------------------------------------------------
+ // Load color data of a texture and convert it to our output format
+ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
+@@ -220,6 +222,11 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
+ 
+     // allocate storage for the texture image
+     if (do_read) {
++        // check for max texture sizes
++         if (pcNew->mWidth > MaxTextureSize || pcNew->mHeight > MaxTextureSize) {
++             throw DeadlyImportError("Invalid MDL file. A texture is too big.");
++         }
++       
+         if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) {
+             throw DeadlyImportError("Invalid MDL file. A texture is too big.");
+         }
+-- 
+2.46.0
+

CVE-2025-3159.patch

@@ -0,0 +1,28 @@
+From e8a6286542924e628e02749c4f5ac4f91fdae71b Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Thu, 13 Mar 2025 16:23:36 +0100
+Subject: [PATCH] ASE: Use correct vertex container (#6051)
+
+- closes https://github.com/assimp/assimp/issues/6024
+---
+ code/AssetLib/ASE/ASEParser.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/code/AssetLib/ASE/ASEParser.cpp b/code/AssetLib/ASE/ASEParser.cpp
+index 0d52614..3bd3b42 100644
+--- a/code/AssetLib/ASE/ASEParser.cpp
++++ b/code/AssetLib/ASE/ASEParser.cpp
+@@ -1382,8 +1382,8 @@ void Parser::ParseLV4MeshBonesVertices(unsigned int iNumVertices, ASE::Mesh &mes
+             if (TokenMatch(filePtr, "MESH_BONE_VERTEX", 16)) {
+                 // read the vertex index
+                 unsigned int iIndex = strtoul10(filePtr, &filePtr);
+-                if (iIndex >= mesh.mPositions.size()) {
+-                    iIndex = (unsigned int)mesh.mPositions.size() - 1;
++                if (iIndex >= mesh.mBoneVertices.size()) {
++                     iIndex = (unsigned int)mesh.mBoneVertices.size() - 1;
+                     LogWarning("Bone vertex index is out of bounds. Using the largest valid "
+                                "bone vertex index instead");
+                 }
+-- 
+2.41.0
+

CVE-2025-3160.patch

@@ -0,0 +1,29 @@
+From a0993658f40d8e13ff5823990c30b43c82a5daf0 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Thu, 13 Mar 2025 10:24:20 +0100
+Subject: [PATCH] Bugfix: Fix possible nullptr dereferencing
+
+- closes https://github.com/assimp/assimp/issues/6025
+---
+ code/Common/SceneCombiner.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/code/Common/SceneCombiner.cpp b/code/Common/SceneCombiner.cpp
+index 2c2539e..b8a476c 100644
+--- a/code/Common/SceneCombiner.cpp
++++ b/code/Common/SceneCombiner.cpp
+@@ -95,6 +95,11 @@ inline void PrefixString(aiString &string, const char *prefix, unsigned int len)
+ // ------------------------------------------------------------------------------------------------
+ // Add node identifiers to a hashing set
+ void SceneCombiner::AddNodeHashes(aiNode *node, std::set<unsigned int> &hashes) {
++    if (node == nullptr) {
++         ASSIMP_LOG_VERBOSE_DEBUG("Pointer to aiNode is nullptr.");
++         return;
++     }
++   
+     // Add node name to hashing set if it is non-empty - empty nodes are allowed
+     // and they can't have any anims assigned so its absolutely safe to duplicate them.
+     if (node->mName.length) {
+-- 
+2.41.0
+

assimp.spec

@@ -1,12 +1,19 @@
 Name:          assimp
 Version:       5.2.4
-Release:       2
+Release:       7
 Summary:       Library to load and process various 3D model formats into applications.
 License:       BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0
 URL:           http://www.assimp.org/
 Source0:       https://github.com/assimp/assimp/archive/v%{version}.tar.gz
 Patch0001:     0001-Fix-build-with-zlib.patch
 Patch0002:     CVE-2024-40724-Fix-out-of-bound-access-5651.patch
+Patch0003:     CVE-2024-45679.patch
+Patch0004:     CVE-2024-48425.patch
+Patch0005:     CVE-2025-2151.patch
+Patch0006:     CVE-2025-3015.patch
+Patch0007:     CVE-2025-3016.patch
+Patch0008:     CVE-2025-3159.patch
+Patch0009:     CVE-2025-3160.patch
 
 BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel
 BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zzip-zlib-config)
@@ -85,6 +92,27 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass
 %{python3_sitelib}/pyassimp
 
 %changelog
+* Fri Apr 4 2025 changtao <changtao@kylinos.cn> - 5.2.4-7
+- Type:CVE
+- CVE:CVE-2025-3160 CVE-2025-3159
+- SUG:NA
+- DESC:fix CVE-2025-3160 CVE-2025-3159
+
+* Tue Apr 1 2025 changtao <changtao@kylinos.cn> - 5.2.4-6
+- Type:CVE
+- CVE:CVE-2025-3015 CVE-2025-3016
+- SUG:NA
+- DESC:fix CVE-2025-3015 CVE-2025-3016
+
+* Thu Mar 20 2025 wangkai <13474090681@163.com> - 5.2.4-5
+- Fix CVE-2025-2151
+
+* Sat Oct 26 2024 liningjie <liningjie@xfusion.com> - 5.2.4-4
+- Fix CVE-2024-48425
+
+* Thu Sep 19 2024 wangkai <13474090681@163.com> - 5.2.4-3
+- fix CVE-2024-45679
+
 * Mon Jul 22 2024 yinyongkang <yinyongkang@kylinos.cn> - 5.2.4-2
 - fix CVE-2024-40724