| 제목 | Open Asset Import Library Assimp 5.4.3 Use After Free |
|---|
| 설명 | The program experiences a heap-use-after-free error when accessing a `std::vector` in the `Assimp::BVHLoader::ReadNodeChannels` function in `assimp/code/AssetLib/BVH/BVHLoader.cpp:303` . The error occurs after the memory for an object (specifically the `pNode` or its member `mChannels`) has been freed, but the program attempts to push a new element into the vector, causing undefined behavior and a crash.
```C++
void BVHLoader::ReadNodeChannels(BVHLoader::Node &pNode) {
// number of channels. Use the float reader because we're lazy
float numChannelsFloat = GetNextTokenAsFloat();
unsigned int numChannels = (unsigned int)numChannelsFloat;
for (unsigned int a = 0; a < numChannels; a++) {
std::string channelToken = GetNextToken();
...
else if (channelToken == "Zrotation")
pNode.mChannels.push_back(Channel_RotationZ);
else
ThrowException("Invalid channel specifier \"", channelToken, "\".");
}
}
```
This function attempts to push new values into the mChannels vector of pNode. The error occurs if pNode or its member mChannels has already been freed earlier in the program.
The following function appears to allocate memory for child nodes (`Assimp::BVHLoader::ReadNode()` in `assimp/code/AssetLib/BVH/BVHLoader.cpp`):
```C++
aiNode *child = ReadEndSite(nodeName);
child->mParent = node;
childNodes.push_back(child);
```
If a node or any of its components are freed prematurely (perhaps when deleting `node->mChildren`), any subsequent access to them could cause the heap-use-after-free error observed.
|
|---|
| 원천 | ⚠️ https://github.com/assimp/assimp/issues/6219 |
|---|
| 사용자 | Rulkallos (UID 86201) |
|---|
| 제출 | 2025. 06. 06. AM 08:23 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 06. 15. PM 12:18 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 312588 [Open Asset Import Library Assimp 까지 5.4.3 BVHLoader.cpp ReadNodeChannels pNode 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|