From 3c4a34968afab75a0a041cf8cd8f47e2fe6158a6 Mon Sep 17 00:00:00 2001 From: Alexander Date: Thu, 16 Mar 2023 05:04:41 +0200 Subject: [PATCH] Fix for out of bounds read in tile cache builder. (#601) Fix for reading data out of bounds in tile cache builder in removeVertex. While removing a vertex data is read from i+1 index from mesh.verts, which becomes out of bound for the last vertex, which we shouldn't copy over in this case. --- DetourTileCache/Source/DetourTileCacheBuilder.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DetourTileCache/Source/DetourTileCacheBuilder.cpp b/DetourTileCache/Source/DetourTileCacheBuilder.cpp index 796e165..b1d2a2c 100644 --- a/DetourTileCache/Source/DetourTileCacheBuilder.cpp +++ b/DetourTileCache/Source/DetourTileCacheBuilder.cpp @@ -1558,7 +1558,7 @@ static dtStatus removeVertex(dtTileCachePolyMesh& mesh, const unsigned short rem } // Remove vertex. - for (int i = (int)rem; i < mesh.nverts; ++i) + for (int i = (int)rem; i < mesh.nverts - 1; ++i) { mesh.verts[i*3+0] = mesh.verts[(i+1)*3+0]; mesh.verts[i*3+1] = mesh.verts[(i+1)*3+1];