From c9cd6428dc4d4b201741f693339cd806deec77d2 Mon Sep 17 00:00:00 2001
From: Mario Zechner <badlogicgames@gmail.com>
Date: Tue, 24 Feb 2026 11:58:28 +0100
Subject: [PATCH] [c] Fix weighted vertex buffer overflow using realloc growth

---
 spine-c/spine-c/src/spine/SkeletonBinary.c | 24 ++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/spine-c/spine-c/src/spine/SkeletonBinary.c b/spine-c/spine-c/src/spine/SkeletonBinary.c
index f18802d38..a166e8637 100644
--- a/spine-c/spine-c/src/spine/SkeletonBinary.c
+++ b/spine-c/spine-c/src/spine/SkeletonBinary.c
@@ -1027,13 +1027,33 @@ static int _readVertices(_dataInput *input, float **vertices, int *verticesLengt
 		return *verticesLength;
 	}
 
-	float *v = MALLOC(float, (*verticesLength) * 3 * 3);
-	int *b = MALLOC(int, (*verticesLength) * 3);
+	int vertexCapacity = (*verticesLength) * 3 * 3;
+	int boneCapacity = (*verticesLength) * 3;
+	if (vertexCapacity < 8) vertexCapacity = 8;
+	if (boneCapacity < 8) boneCapacity = 8;
+	float *v = MALLOC(float, vertexCapacity);
+	int *b = MALLOC(int, boneCapacity);
 	int boneIdx = 0;
 	int vertexIdx = 0;
 	for (int i = 0; i < vertexCount; ++i) {
 		int boneCount = readVarint(input, 1);
+		int requiredBones = boneIdx + 1 + boneCount;
+		if (requiredBones > boneCapacity) {
+			while (boneCapacity < requiredBones) {
+				boneCapacity += boneCapacity >> 1;
+			}
+			b = REALLOC(b, int, boneCapacity);
+		}
 		b[boneIdx++] = boneCount;
+
+		int requiredVertices = vertexIdx + boneCount * 3;
+		if (requiredVertices > vertexCapacity) {
+			while (vertexCapacity < requiredVertices) {
+				vertexCapacity += vertexCapacity >> 1;
+			}
+			v = REALLOC(v, float, vertexCapacity);
+		}
+
 		for (int ii = 0; ii < boneCount; ++ii) {
 			b[boneIdx++] = readVarint(input, 1);
 			v[vertexIdx++] = readFloat(input) * scale;