| タイトル | fbxcel <= 0.9.0 Denial of Service |
|---|
| 説明 | Three remotely-triggerable denial-of-service defects in the v7400 binary FBX parser of the `fbxcel` Rust crate (versions <= 0.9.0) allow an attacker who controls the input FBX file to crash any application that uses fbxcel to read user-supplied FBX files (3D viewers, game engines, asset import pipelines, model converters, Blender/Maya/glTF tooling). All three sites share a common root cause: attacker-controlled values from the FBX node / attribute header are used without bound-checking against the actual remaining input bytes.
The three defect sites:
1. fbxcel-0.9.0/src/pull_parser/v7400/parser.rs:365 — Parser::next_event_impl
Arithmetic-overflow panic. The expression `current_offset + node_header.bytelen_attributes` performs an unchecked u64 addition. When `bytelen_attributes` is attacker-supplied as a near-u64::MAX value, the addition overflows and triggers `attempt to add with overflow` in release builds with overflow-checks enabled (and in cargo-fuzz harnesses, which use it by default). The panic propagates through `Parser::next_event` to any caller pulling events, including the canonical entrypoint `fbxcel::tree::any::AnyTree::from_reader`. A 293-byte malformed FBX header deterministically reproduces the panic. CWE-190 (Integer Overflow or Wraparound).
2. fbxcel-0.9.0/src/pull_parser/v7400/attribute/loaders/direct.rs:99 — DirectLoader::load_binary
Length-prefix-overflow OOM in the binary-attribute loader. The 32-bit byte-length field of an FBX binary attribute is consumed via `read_u32_le` and immediately fed to `vec![0u8; bytelen]` (equivalent to `Vec::with_capacity(bytelen)`) without bound-checking against either the remaining stream bytes or any configurable size cap. An attacker supplying a `bytelen` of ~3.4 GiB forces the allocator to attempt a single >3 GiB allocation. A 62-byte FBX fragment reproduces this deterministically. Because FBX allows multiple binary attributes per node, repeated attributes multiply the allocation amplification. CWE-770 (Allocation of Resources Without Limits or Throttling).
3. fbxcel-0.9.0/src/pull_parser/v7400/attribute/loaders/direct.rs:106 — DirectLoader::load_string
Same length-prefix-overflow pattern as #2, but in the string-attribute loader. The 32-bit string-length field is fed to `String::with_capacity` (or equivalent unchecked allocation) without bound-checking. An attacker supplying a length of ~3.6 GiB forces the same allocation-failure DoS. A 487-byte FBX fragment reproduces this deterministically. CWE-770.
Remote attacker requires no privileges, no user interaction beyond the application opening the file, and the impact is full Availability loss of the affected process (terminated by panic for site #1; OS OOM-kill or process abort by allocation failure for sites #2 and #3).
Affected attack surfaces:
- 3D asset import pipelines (Blender, Maya, glTF / USD converters that accept FBX)
- Game engine asset loaders (Bevy, Godot extensions, Unity-via-Rust bridges) using fbxcel directly or via fbxcel-dom
- Online 3D-model viewers that decode user-uploaded FBX server-side
- CI / build-time asset processors handling untrusted third-party model assets
Upstream maintainer (lo48576) has acknowledged all three sites in https://github.com/lo48576/fbxcel/issues/13 and https://github.com/lo48576/fbxcel/issues/14 and is actively designing a unified fix: adding `len: fn(&mut Reader<R>) -> Option<u64>` to `pull_parser::ReaderFnTable<R>` to enable an attribute-length check, introducing a new `pull_parser::error::data::DataError::InvalidLength` error variant, and optionally a configurable size cap via `DataError::TooLongAttribute` (or via a new `Warning` variant for non-fatal notification on suspiciously-large-but-valid inputs). The maintainer noted that the same fix template addresses sites #1, #2, and #3 in one commit, which is why this submission covers all three under a single CVE.
|
|---|
| ソース | ⚠️ https://github.com/lo48576/fbxcel/issues/14 |
|---|
| ユーザー | Zyz3366 (UID 97230) |
|---|
| 送信 | 2026年06月09日 06:39 (1 月 ago) |
|---|
| モデレーション | 2026年07月09日 16:59 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 377215 [lo48576 fbxcel 迄 0.9.0 Node Header parser.rs サービス拒否] |
|---|
| ポイント | 20 |
|---|