From d19c3d411c3227a04e6909b9dd5ddbb003691b42 Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Sat, 29 Mar 2025 18:49:59 +0800
Subject: [PATCH] fix CVE-2025-3015 CVE-2025-3016

---
 CVE-2025-3015.patch | 26 ++++++++++++++++++++++++++
 CVE-2025-3016.patch | 38 ++++++++++++++++++++++++++++++++++++++
 assimp.spec         | 10 +++++++++-
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-3015.patch
 create mode 100644 CVE-2025-3016.patch

diff --git a/CVE-2025-3015.patch b/CVE-2025-3015.patch
new file mode 100644
index 0000000..7804ab7
--- /dev/null
+++ b/CVE-2025-3015.patch
@@ -0,0 +1,26 @@
+From 7c705fde418d68cca4e8eff56be01b2617b0d6fe Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Wed, 12 Mar 2025 21:12:02 +0100
+Subject: [PATCH] ASE: Fix possible out of bound access. (#6045)
+---
+ code/AssetLib/ASE/ASELoader.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp
+index 4617c9e..a622bb0 100644
+--- a/code/AssetLib/ASE/ASELoader.cpp
++++ b/code/AssetLib/ASE/ASELoader.cpp
+@@ -730,6 +730,10 @@ void ASEImporter::BuildUniqueRepresentation(ASE::Mesh &mesh) {
+     unsigned int iCurrent = 0, fi = 0;
+     for (std::vector<ASE::Face>::iterator i = mesh.mFaces.begin(); i != mesh.mFaces.end(); ++i, ++fi) {
+         for (unsigned int n = 0; n < 3; ++n, ++iCurrent) {
++            const uint32_t curIndex = (*i).mIndices[n];
++             if (curIndex >= mesh.mPositions.size()) {
++                 throw DeadlyImportError("ASE: Invalid vertex index in face ", fi, ".");
++             }
+             mPositions[iCurrent] = mesh.mPositions[(*i).mIndices[n]];
+ 
+             // add texture coordinates
+-- 
+2.46.0
+
diff --git a/CVE-2025-3016.patch b/CVE-2025-3016.patch
new file mode 100644
index 0000000..d2f5403
--- /dev/null
+++ b/CVE-2025-3016.patch
@@ -0,0 +1,38 @@
+From 5d2a7482312db2e866439a8c05a07ce1e718bed1 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Wed, 12 Mar 2025 21:29:33 +0100
+Subject: [PATCH] MDL: Limit max texture sizes
+
+- closes https://github.com/assimp/assimp/issues/6022
+---
+ code/AssetLib/MDL/MDLMaterialLoader.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp
+index 3d39fa6..1bff785 100644
+--- a/code/AssetLib/MDL/MDLMaterialLoader.cpp
++++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp
+@@ -210,6 +210,8 @@ void MDLImporter::CreateTexture_3DGS_MDL4(const unsigned char *szData,
+     return;
+ }
+ 
++static const uint32_t MaxTextureSize = 4096;
++
+ // ------------------------------------------------------------------------------------------------
+ // Load color data of a texture and convert it to our output format
+ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
+@@ -220,6 +222,11 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
+ 
+     // allocate storage for the texture image
+     if (do_read) {
++        // check for max texture sizes
++         if (pcNew->mWidth > MaxTextureSize || pcNew->mHeight > MaxTextureSize) {
++             throw DeadlyImportError("Invalid MDL file. A texture is too big.");
++         }
++   
+         if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) {
+             throw DeadlyImportError("Invalid MDL file. A texture is too big.");
+         }
+-- 
+2.46.0
+
diff --git a/assimp.spec b/assimp.spec
index f8c3adb..902fa3b 100644
--- a/assimp.spec
+++ b/assimp.spec
@@ -1,6 +1,6 @@
 Name:          assimp
 Version:       5.3.1
-Release:       7
+Release:       8
 Summary:       Library to load and process various 3D model formats into applications.
 License:       BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0
 URL:           http://www.assimp.org/
@@ -21,6 +21,8 @@ Patch06:       CVE-2024-48424.patch
 Patch07:       CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch
 Patch08:       CVE-2024-53425.patch
 Patch09:       CVE-2025-2151.patch
+Patch10:       CVE-2025-3015.patch
+Patch11:       CVE-2025-3016.patch
 
 BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel
 BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib)
@@ -100,6 +102,12 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass
 %{python3_sitelib}/pyassimp
 
 %changelog
+* Tue Apr 1 2025 changtao <changtao@kylinos.cn> - 5.3.1-8
+- Type:CVE
+- CVE:CVE-2025-3015 CVE-2025-3016
+- SUG:NA
+- DESC:fix CVE-2025-3015 CVE-2025-3016
+
 * Thu Mar 20 2025 wangkai <13474090681@163.com> - 5.3.1-7
 - Fix CVE-2025-2151
 
-- 
Gitee