Added extra bounds checks (#288)

walbourn · web-flow · commit 6613cfc60f21 · 2026-04-16T15:16:43.000-07:00
Resolves MSRC 113268 which is a low risk information disclosure bug.
diff --git a/DirectXMesh/DirectXMeshAdjacency.cpp b/DirectXMesh/DirectXMeshAdjacency.cpp
@@ -374,6 +374,11 @@ namespace
             const uint32_t v2 = pointRep[i1];
             const uint32_t v3 = pointRep[i2];
 
+            if (v1 >= nVerts
+                || v2 >= nVerts
+                || v3 >= nVerts)
+                return E_UNEXPECTED;
+
             // filter out degenerate triangles
             if (v1 == v2 || v1 == v3 || v2 == v3)
                 continue;
diff --git a/DirectXMesh/DirectXMeshGSAdjacency.cpp b/DirectXMesh/DirectXMeshGSAdjacency.cpp
@@ -64,6 +64,10 @@ namespace
                 {
                     indicesAdj[outputi] = indices[face * 3 + ((point + 2) % 3)];
                 }
+                else if (a >= nFaces)
+                {
+                    return E_UNEXPECTED;
+                }
                 else
                 {
                     uint32_t v1 = indices[face * 3 + point];
@@ -82,6 +86,10 @@ namespace
                         v1 = pointRep[v1];
                         v2 = pointRep[v2];
 
+                        if (((v1 != UNUSED32) && (v1 >= nVerts))
+                            || ((v2 != UNUSED32) && (v2 >= nVerts)))
+                            return E_UNEXPECTED;
+
                         uint32_t vOther = UNUSED32;
 
                         // find other vertex
diff --git a/DirectXMesh/DirectXMeshOptimizeTVC.cpp b/DirectXMesh/DirectXMeshOptimizeTVC.cpp
@@ -112,6 +112,9 @@ namespace
 
                             if (neighbor != UNUSED32)
                             {
+                                if (neighbor >= nFaces)
+                                    return E_UNEXPECTED;
+
                                 if ((neighbor < faceOffset) || (neighbor >= faceMax)
                                     || (neighbor == adjacency[face * 3 + ((n + 1) % 3)])
                                     || (neighbor == adjacency[face * 3 + ((n + 2) % 3)]))
diff --git a/DirectXMesh/DirectXMeshRemap.cpp b/DirectXMesh/DirectXMeshRemap.cpp
@@ -66,7 +66,7 @@ namespace
                 }
             }
             else
-                return E_FAIL;
+                return E_UNEXPECTED;
         }
 
         return S_OK;
@@ -667,7 +667,7 @@ HRESULT DirectX::FinalizeVB(
         }
         else if (src >= newVerts)
         {
-            return E_FAIL;
+            return E_UNEXPECTED;
         }
         else if (src < nVerts)
         {
@@ -768,7 +768,7 @@ HRESULT DirectX::FinalizeVBAndPointReps(
             if (vertexRemap[j] != UNUSED32)
             {
                 if (vertexRemap[j] >= newVerts)
-                    return E_INVALIDARG;
+                    return E_UNEXPECTED;
 
                 vertexRemapInverse[vertexRemap[j]] = j;
             }
@@ -790,7 +790,11 @@ HRESULT DirectX::FinalizeVBAndPointReps(
 
     for (size_t i = 0; i < nDupVerts; ++i)
     {
-        pointRep[i + nVerts] = prin[dupVerts[i]];
+        uint32_t pr = dupVerts[i];
+        if (pr >= nDupVerts)
+            return E_UNEXPECTED;
+
+        pointRep[i + nVerts] = prin[pr];
     }
 
     for (size_t j = 0; j < newVerts; ++j)
@@ -801,10 +805,6 @@ HRESULT DirectX::FinalizeVBAndPointReps(
         {
             // remap entry is unused
         }
-        else if (src >= newVerts)
-        {
-            return E_FAIL;
-        }
         else if (src < nVerts)
         {
             memcpy(dptr, sptr + src * stride, stride);
diff --git a/DirectXMesh/DirectXMeshUtil.cpp b/DirectXMesh/DirectXMeshUtil.cpp
@@ -478,6 +478,9 @@ namespace
             if (indices[j] == index_t(-1))
                 continue;
 
+            if (indices[j] >= nVerts)
+                return;
+
             bool found = false;
 
             for (size_t ptr = 0; ptr < cacheSize; ++ptr)
diff --git a/DirectXMesh/DirectXMeshWeldVertices.cpp b/DirectXMesh/DirectXMeshWeldVertices.cpp
@@ -120,6 +120,9 @@ namespace
             if (i == index_t(-1))
                 continue;
 
+            if (i >= nVerts)
+                return E_UNEXPECTED;
+
             indices[j] = index_t(vertexRemapInverse[i]);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,10 @@ namespace`
`64`	`64`	`{`
`65`	`65`	`indicesAdj[outputi] = indices[face * 3 + ((point + 2) % 3)];`
`66`	`66`	`}`
	`67`	`+ else if (a >= nFaces)`
	`68`	`+ {`
	`69`	`+ return E_UNEXPECTED;`
	`70`	`+ }`
`67`	`71`	`else`
`68`	`72`	`{`
`69`	`73`	`uint32_t v1 = indices[face * 3 + point];`
`@@ -82,6 +86,10 @@ namespace`
`82`	`86`	`v1 = pointRep[v1];`
`83`	`87`	`v2 = pointRep[v2];`
`84`	`88`
	`89`	`+ if (((v1 != UNUSED32) && (v1 >= nVerts))`
	`90`	`+ \|\| ((v2 != UNUSED32) && (v2 >= nVerts)))`
	`91`	`+ return E_UNEXPECTED;`
	`92`	`+`
`85`	`93`	`uint32_t vOther = UNUSED32;`
`86`	`94`
`87`	`95`	`// find other vertex`
Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,9 @@ namespace`
`112`	`112`
`113`	`113`	`if (neighbor != UNUSED32)`
`114`	`114`	`{`
	`115`	`+ if (neighbor >= nFaces)`
	`116`	`+ return E_UNEXPECTED;`
	`117`	`+`
`115`	`118`	`if ((neighbor < faceOffset) \|\| (neighbor >= faceMax)`
`116`	`119`	`\|\| (neighbor == adjacency[face * 3 + ((n + 1) % 3)])`
`117`	`120`	`\|\| (neighbor == adjacency[face * 3 + ((n + 2) % 3)]))`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ namespace`
`66`	`66`	`}`
`67`	`67`	`}`
`68`	`68`	`else`
`69`		`- return E_FAIL;`
	`69`	`+ return E_UNEXPECTED;`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`return S_OK;`
`@@ -667,7 +667,7 @@ HRESULT DirectX::FinalizeVB(`
`667`	`667`	`}`
`668`	`668`	`else if (src >= newVerts)`
`669`	`669`	`{`
`670`		`- return E_FAIL;`
	`670`	`+ return E_UNEXPECTED;`
`671`	`671`	`}`
`672`	`672`	`else if (src < nVerts)`
`673`	`673`	`{`
`@@ -768,7 +768,7 @@ HRESULT DirectX::FinalizeVBAndPointReps(`
`768`	`768`	`if (vertexRemap[j] != UNUSED32)`
`769`	`769`	`{`
`770`	`770`	`if (vertexRemap[j] >= newVerts)`
`771`		`- return E_INVALIDARG;`
	`771`	`+ return E_UNEXPECTED;`
`772`	`772`
`773`	`773`	`vertexRemapInverse[vertexRemap[j]] = j;`
`774`	`774`	`}`
`@@ -790,7 +790,11 @@ HRESULT DirectX::FinalizeVBAndPointReps(`
`790`	`790`
`791`	`791`	`for (size_t i = 0; i < nDupVerts; ++i)`
`792`	`792`	`{`
`793`		`- pointRep[i + nVerts] = prin[dupVerts[i]];`
	`793`	`+ uint32_t pr = dupVerts[i];`
	`794`	`+ if (pr >= nDupVerts)`
	`795`	`+ return E_UNEXPECTED;`
	`796`	`+`
	`797`	`+ pointRep[i + nVerts] = prin[pr];`
`794`	`798`	`}`
`795`	`799`
`796`	`800`	`for (size_t j = 0; j < newVerts; ++j)`
`@@ -801,10 +805,6 @@ HRESULT DirectX::FinalizeVBAndPointReps(`
`801`	`805`	`{`
`802`	`806`	`// remap entry is unused`
`803`	`807`	`}`
`804`		`- else if (src >= newVerts)`
`805`		`- {`
`806`		`- return E_FAIL;`
`807`		`- }`
`808`	`808`	`else if (src < nVerts)`
`809`	`809`	`{`
`810`	`810`	`memcpy(dptr, sptr + src * stride, stride);`
Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,9 @@ namespace`
`120`	`120`	`if (i == index_t(-1))`
`121`	`121`	`continue;`
`122`	`122`
	`123`	`+ if (i >= nVerts)`
	`124`	`+ return E_UNEXPECTED;`
	`125`	`+`
`123`	`126`	`indices[j] = index_t(vertexRemapInverse[i]);`
`124`	`127`	`}`
`125`	`128`