package/assimp: apply security patches for CVE-2025-3015, 3016

Fixes the following CVEs:
- CVE-2025-3015: A vulnerability classified as critical has been found in
                 Open Asset Import Library Assimp 5.4.3. This affects the
                 function Assimp::ASEImporter::BuildUniqueRepresentation of
                 the file code/AssetLib/ASE/ASELoader.cpp of the component
                 ASE File Handler. The manipulation of the argument mIndices
                 leads to out-of-bounds read. It is possible to initiate the
                 attack remotely. The exploit has been disclosed to the
                 public and may be used.
    See: https://www.cve.org/CVERecord?id=CVE-2025-3015

- CVE-2025-3016: A vulnerability classified as problematic was found in
                 Open Asset Import Library Assimp 5.4.3. This vulnerability
                 affects the function Assimp::MDLImporter::ParseTextureColorData
                 of the file code/AssetLib/MDL/MDLMaterialLoader.cpp of the
                 component MDL File Handler. The manipulation of the argument
                 mWidth/mHeight leads to resource consumption.
                 The attack can be initiated remotely
    See: https://www.cve.org/CVERecord?id=CVE-2025-3016

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/assimp/0003-ASE-fix-possible-out-of-bound-access.patch

@@ -0,0 +1,29 @@
+From 65c95bf3207b81fe522811d45780d72ed41d9c1e Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kim.kulling@googlemail.com>
+Date: Wed, 12 Mar 2025 20:17:38 +0100
+Subject: [PATCH] ASE: Fix possible out of bound access.
+
+Upstream: https://github.com/assimp/assimp/pull/6045
+
+CVE: CVE-2025-3015
+
+Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
+---
+ code/AssetLib/ASE/ASELoader.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp
+index eb6b37dc9b..c63edcf6bf 100644
+--- a/code/AssetLib/ASE/ASELoader.cpp
++++ b/code/AssetLib/ASE/ASELoader.cpp
+@@ -731,6 +731,10 @@ void ASEImporter::BuildUniqueRepresentation(ASE::Mesh &mesh) {
+     unsigned int iCurrent = 0, fi = 0;
+     for (std::vector<ASE::Face>::iterator i = mesh.mFaces.begin(); i != mesh.mFaces.end(); ++i, ++fi) {
+         for (unsigned int n = 0; n < 3; ++n, ++iCurrent) {
++            const uint32_t curIndex = (*i).mIndices[n];
++            if (curIndex >= mesh.mPositions.size()) {
++                throw DeadlyImportError("ASE: Invalid vertex index in face ", fi, ".");
++            }
+             mPositions[iCurrent] = mesh.mPositions[(*i).mIndices[n]];
+ 
+             // add texture coordinates

package/assimp/0004-MDL-limit-max-texture-sizes.patch

@@ -0,0 +1,41 @@
+From 5d2a7482312db2e866439a8c05a07ce1e718bed1 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Wed, 12 Mar 2025 21:29:33 +0100
+Subject: [PATCH] MDL: Limit max texture sizes
+
+- closes https://github.com/assimp/assimp/issues/6022
+
+Upstream: https://github.com/assimp/assimp/pull/6046
+
+CVE: CVE-2025-3016
+
+Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
+---
+ code/AssetLib/MDL/MDLMaterialLoader.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp
+index 2cac8a1e26..2e09992e89 100644
+--- a/code/AssetLib/MDL/MDLMaterialLoader.cpp
++++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp
+@@ -209,6 +209,8 @@ void MDLImporter::CreateTexture_3DGS_MDL4(const unsigned char *szData,
+     return;
+ }
+ 
++static const uint32_t MaxTextureSize = 4096;
++
+ // ------------------------------------------------------------------------------------------------
+ // Load color data of a texture and convert it to our output format
+ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
+@@ -219,6 +221,11 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
+ 
+     // allocate storage for the texture image
+     if (do_read) {
++        // check for max texture sizes
++        if (pcNew->mWidth > MaxTextureSize || pcNew->mHeight > MaxTextureSize) {
++            throw DeadlyImportError("Invalid MDL file. A texture is too big.");
++        }
++      
+         if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) {
+             throw DeadlyImportError("Invalid MDL file. A texture is too big.");
+         }

package/assimp/assimp.mk

@@ -16,6 +16,12 @@ ASSIMP_INSTALL_STAGING = YES
 # 0002-Fix-use-after-free-in-the-CallbackToLogRedirector-59.patch
 ASSIMP_IGNORE_CVES += CVE-2024-48423
 
+# 0003-ASE-fix-possible-out-of-bound-access.patch
+ASSIMP_IGNORE_CVES += CVE-2025-3015
+
+# 0004-MDL-limit-max-texture-sizes.patch
+ASSIMP_IGNORE_CVES += CVE-2025-3016
+
 # relocation truncated to fit: R_68K_GOT16O. We also need to disable
 # optimizations to not run into "Error: value -43420 out of range"
 # assembler issues.