| Titre | Open Asset Import Library Assimp 6.0.2 / master commit 0581ed5 Heap-based Buffer Overflow |
|---|
| Description | The crash occurs in Q3DImporter::InternReadFile() while allocating texture data:
unsigned int mul = tex->mWidth * tex->mHeight;
aiTexel *begin = tex->pcData = new aiTexel[mul];
aiTexel *const end = &begin[mul - 1] + 1;
for (; begin != end; ++begin) {
begin->r = stream.GetI1();
begin->g = stream.GetI1();
begin->b = stream.GetI1();
begin->a = 0xff;
}
When the file provides extremely large mWidth and mHeight, their product overflows the unsigned int range, causing mul to wrap around to a small number (observed as 0 during GDB debugging). Immediately afterward, the code calculates end = &begin[mul - 1] + 1, which underflows mul - 1 and creates an invalid pointer far beyond the allocated buffer. The subsequent loop then writes out of bounds, triggering a heap-buffer-overflow. Proper bounds checking and using 64-bit arithmetic before multiplication would prevent this vulnerability. |
|---|
| La source | ⚠️ https://github.com/assimp/assimp/issues/6358 |
|---|
| Utilisateur | sand (UID 90194) |
|---|
| Soumission | 19/09/2025 10:10 (il y a 7 mois) |
|---|
| Modérer | 04/10/2025 08:08 (15 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 327011 [Open Asset Import Library Assimp 6.0.2 Q3DLoader.cpp InternReadFile buffer overflow] |
|---|
| Points | 20 |
|---|