From 21607dfb756a1119a9607bf19cc2de5fba3e2d5f Mon Sep 17 00:00:00 2001 From: Bill Wendling Date: Sat, 21 Feb 2026 10:19:02 -0800 Subject: [PATCH] Obj: Fix heap-buffer-overflow in getFace via vertical tabs (#6540) The `ObjFileParser::getFace` method failed to recognize the vertical tab character (`\v`, 0x0b) as a separator. While the `IsSpaceOrNewLine` utility handles most whitespace (space, tab, CR, LF, FF), it excludes `\v`. When encountering a vertical tab, the parser fell through to an `else` block that calls `::atoi(&(*m_DataIt))`. Because `atoi` treats `\v` as whitespace per the C standard, it skips the character and continues reading. If `\v` is located at the end of the buffer (e.g., followed by a newline at the buffer boundary), `atoi` can read past the allocated memory, triggering a heap-buffer-overflow. This fix explicitly checks for `\v` and treats it as a separator, resetting the position counter and preventing the invalid `atoi` call. Verified with AddressSanitizer and confirmed that all 584 existing unit tests pass. Fixes: https://issues.oss-fuzz.com/issues/476180586 Signed-off-by: Bill Wendling Co-authored-by: Meder Kydyraliev Co-authored-by: CodeMender --- code/AssetLib/Obj/ObjFileParser.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/AssetLib/Obj/ObjFileParser.cpp b/code/AssetLib/Obj/ObjFileParser.cpp index 921ae6c3d..cc843468d 100644 --- a/code/AssetLib/Obj/ObjFileParser.cpp +++ b/code/AssetLib/Obj/ObjFileParser.cpp @@ -467,7 +467,7 @@ void ObjFileParser::getFace(aiPrimitiveType type) { ASSIMP_LOG_ERROR("Obj: Separator unexpected in point statement"); } iPos++; - } else if (IsSpaceOrNewLine(*m_DataIt)) { + } else if (IsSpaceOrNewLine(*m_DataIt) || *m_DataIt == '\v') { iPos = 0; } else { //OBJ USES 1 Base ARRAYS!!!!