Gửi #852441: fbxcel <= 0.9.0 Denial of Servicethông tin

tiêu đềfbxcel <= 0.9.0 Denial of Service
Mô tảThree remotely-triggerable denial-of-service defects in the v7400 binary FBX parser of the `fbxcel` Rust crate (versions <= 0.9.0) allow an attacker who controls the input FBX file to crash any application that uses fbxcel to read user-supplied FBX files (3D viewers, game engines, asset import pipelines, model converters, Blender/Maya/glTF tooling). All three sites share a common root cause: attacker-controlled values from the FBX node / attribute header are used without bound-checking against the actual remaining input bytes. The three defect sites: 1. fbxcel-0.9.0/src/pull_parser/v7400/parser.rs:365 — Parser::next_event_impl Arithmetic-overflow panic. The expression `current_offset + node_header.bytelen_attributes` performs an unchecked u64 addition. When `bytelen_attributes` is attacker-supplied as a near-u64::MAX value, the addition overflows and triggers `attempt to add with overflow` in release builds with overflow-checks enabled (and in cargo-fuzz harnesses, which use it by default). The panic propagates through `Parser::next_event` to any caller pulling events, including the canonical entrypoint `fbxcel::tree::any::AnyTree::from_reader`. A 293-byte malformed FBX header deterministically reproduces the panic. CWE-190 (Integer Overflow or Wraparound). 2. fbxcel-0.9.0/src/pull_parser/v7400/attribute/loaders/direct.rs:99 — DirectLoader::load_binary Length-prefix-overflow OOM in the binary-attribute loader. The 32-bit byte-length field of an FBX binary attribute is consumed via `read_u32_le` and immediately fed to `vec![0u8; bytelen]` (equivalent to `Vec::with_capacity(bytelen)`) without bound-checking against either the remaining stream bytes or any configurable size cap. An attacker supplying a `bytelen` of ~3.4 GiB forces the allocator to attempt a single >3 GiB allocation. A 62-byte FBX fragment reproduces this deterministically. Because FBX allows multiple binary attributes per node, repeated attributes multiply the allocation amplification. CWE-770 (Allocation of Resources Without Limits or Throttling). 3. fbxcel-0.9.0/src/pull_parser/v7400/attribute/loaders/direct.rs:106 — DirectLoader::load_string Same length-prefix-overflow pattern as #2, but in the string-attribute loader. The 32-bit string-length field is fed to `String::with_capacity` (or equivalent unchecked allocation) without bound-checking. An attacker supplying a length of ~3.6 GiB forces the same allocation-failure DoS. A 487-byte FBX fragment reproduces this deterministically. CWE-770. Remote attacker requires no privileges, no user interaction beyond the application opening the file, and the impact is full Availability loss of the affected process (terminated by panic for site #1; OS OOM-kill or process abort by allocation failure for sites #2 and #3). Affected attack surfaces: - 3D asset import pipelines (Blender, Maya, glTF / USD converters that accept FBX) - Game engine asset loaders (Bevy, Godot extensions, Unity-via-Rust bridges) using fbxcel directly or via fbxcel-dom - Online 3D-model viewers that decode user-uploaded FBX server-side - CI / build-time asset processors handling untrusted third-party model assets Upstream maintainer (lo48576) has acknowledged all three sites in https://github.com/lo48576/fbxcel/issues/13 and https://github.com/lo48576/fbxcel/issues/14 and is actively designing a unified fix: adding `len: fn(&mut Reader<R>) -> Option<u64>` to `pull_parser::ReaderFnTable<R>` to enable an attribute-length check, introducing a new `pull_parser::error::data::DataError::InvalidLength` error variant, and optionally a configurable size cap via `DataError::TooLongAttribute` (or via a new `Warning` variant for non-fatal notification on suspiciously-large-but-valid inputs). The maintainer noted that the same fix template addresses sites #1, #2, and #3 in one commit, which is why this submission covers all three under a single CVE.
Nguồn⚠️ https://github.com/lo48576/fbxcel/issues/14
Người dùng
 Zyz3366 (UID 97230)
Đệ trình09/06/2026 06:39 (cách đây 1 tháng)
Kiểm duyệt09/07/2026 16:59 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB377215 [lo48576 fbxcel đến 0.9.0 Node Header parser.rs Từ chối dịch vụ]
điểm20

Interested in the pricing of exploits?

See the underground prices here!