* glTF2: Fix heap-buffer-overflow in Accessor validation and size calculation
This patch fixes a heap-buffer-overflow in
`glTF2::Accessor::ExtractData` caused by incorrect bounds validation and
available size reporting.
The vulnerability stemmed from two issues in `glTF2Asset.inl`:
1. **Underestimated validation in `Accessor::Read`**: The logic used
`GetBytesPerComponent() * count` to validate the required buffer
size. This failed to account for the actual `stride`, allowing
accessors to pass validation even if their total footprint
(including stride) exceeded the buffer view.
2. **Incorrect size reporting in `Accessor::GetMaxByteSize`**: The
function returned the total `bufferView->byteLength` while ignoring
the `byteOffset`. Since the accessor data starts at `byteOffset`,
the actual available space is `byteLength - byteOffset`. This led
`ExtractData` to permit reads that extended beyond the end of the
allocated buffer.
Changes:
* Modified `Accessor::Read` to use `GetStride() * count` for length
validation.
* Updated `Accessor::GetMaxByteSize` to correctly return
`bufferView->byteLength - byteOffset` for standard accessors and
`sparse->data.size()` for sparse accessors.
Co-authored-by: CodeMender <codemender-patching@google.com>
Fixes: https://issues.oss-fuzz.com/issues/483102963
* address comment
---------
Co-authored-by: CodeMender <codemender-patching@google.com>
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>