Merge pull request #69 from pic4xiu/master

qmuntal · web-flow · commit f8943955814c · 2023-07-18T16:03:04.000+02:00
Avoid out of bounds when calculating b.URI[startPos:]
diff --git a/gltf.go b/gltf.go
@@ -2,6 +2,7 @@ package gltf
 
 import (
 	"encoding/base64"
+	"errors"
 	"strings"
 	"sync"
 )
@@ -133,6 +134,9 @@ func (b *Buffer) marshalData() ([]byte, error) {
 		return nil, nil
 	}
 	startPos := len(mimetypeApplicationOctet) + 1
+	if len(b.URI) < startPos {
+		return nil, errors.New("gltf: Invalid base64 content")
+	}
 	sl, err := base64.StdEncoding.DecodeString(b.URI[startPos:])
 	if len(sl) == 0 || err != nil {
 		return nil, err
diff --git a/gltf_test.go b/gltf_test.go
@@ -96,6 +96,7 @@ func TestBuffer_marshalData(t *testing.T) {
 		{"empty", &Buffer{URI: "data:application/octet-stream;base64,"}, nil, false},
 		{"test", &Buffer{URI: "data:application/octet-stream;base64,TEST"}, []byte{76, 68, 147}, false},
 		{"complex", &Buffer{URI: "data:application/octet-stream;base64,YW55IGNhcm5hbCBwbGVhcw=="}, []byte{97, 110, 121, 32, 99, 97, 114, 110, 97, 108, 32, 112, 108, 101, 97, 115}, false},
+		{"invalid", &Buffer{URI: "data:application/octet-stream;base64"}, nil, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,7 @@ func TestBuffer_marshalData(t *testing.T) {`
`96`	`96`	`{"empty", &Buffer{URI: "data:application/octet-stream;base64,"}, nil, false},`
`97`	`97`	`{"test", &Buffer{URI: "data:application/octet-stream;base64,TEST"}, []byte{76, 68, 147}, false},`
`98`	`98`	`{"complex", &Buffer{URI: "data:application/octet-stream;base64,YW55IGNhcm5hbCBwbGVhcw=="}, []byte{97, 110, 121, 32, 99, 97, 114, 110, 97, 108, 32, 112, 108, 101, 97, 115}, false},`
	`99`	`+ {"invalid", &Buffer{URI: "data:application/octet-stream;base64"}, nil, true},`
`99`	`100`	`}`
`100`	`101`	`for _, tt := range tests {`
`101`	`102`	`t.Run(tt.name, func(t *testing.T) {`