Files
assimp/code/AssetLib/glTF2
Oliver Chang 8acd2c964e glTF2: Fix heap-buffer-overflow in Accessor validation and size calculation (#6473)
* glTF2: Fix heap-buffer-overflow in Accessor validation and size calculation

This patch fixes a heap-buffer-overflow in
`glTF2::Accessor::ExtractData` caused by incorrect bounds validation and
available size reporting.

The vulnerability stemmed from two issues in `glTF2Asset.inl`:

1.  **Underestimated validation in `Accessor::Read`**: The logic used
    `GetBytesPerComponent() * count` to validate the required buffer
    size. This failed to account for the actual `stride`, allowing
    accessors to pass validation even if their total footprint
    (including stride) exceeded the buffer view.
2.  **Incorrect size reporting in `Accessor::GetMaxByteSize`**: The
    function returned the total `bufferView->byteLength` while ignoring
    the `byteOffset`. Since the accessor data starts at `byteOffset`,
    the actual available space is `byteLength - byteOffset`. This led
    `ExtractData` to permit reads that extended beyond the end of the
    allocated buffer.

Changes:
*   Modified `Accessor::Read` to use `GetStride() * count` for length
    validation.
*   Updated `Accessor::GetMaxByteSize` to correctly return
    `bufferView->byteLength - byteOffset` for standard accessors and
    `sparse->data.size()` for sparse accessors.

Co-authored-by: CodeMender <codemender-patching@google.com>
Fixes: https://issues.oss-fuzz.com/issues/483102963

* address comment

---------

Co-authored-by: CodeMender <codemender-patching@google.com>
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
2026-02-17 10:57:40 +01:00
..