From d530cd410ba92766001961603a125da94e296989 Mon Sep 17 00:00:00 2001
From: ctrlaltf2 <23644849+ctrlaltf2@users.noreply.github.com>
Date: Mon, 20 Jan 2025 23:43:07 -0500
Subject: [PATCH] Add bounds check to images loaded from bufferviews

---
 tiny_gltf.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tiny_gltf.h b/tiny_gltf.h
index 35a4d00..0eedd65 100644
--- a/tiny_gltf.h
+++ b/tiny_gltf.h
@@ -6453,6 +6453,15 @@ bool TinyGLTF::LoadFromString(Model *model, std::string *err, std::string *warn,
           return false;
         }
         const Buffer &buffer = model->buffers[size_t(bufferView.buffer)];
+        if (bufferView.byteOffset >= buffer.data.size()) {
+          if (err) {
+            std::stringstream ss;
+            ss << "image[" << idx << "] bufferView \"" << image.bufferView
+               << "\" indexed out of bounds of its buffer." << std::endl;
+            (*err) += ss.str();
+          }
+          return false;
+        }
 
         if (LoadImageData == nullptr) {
           if (err) {