The v3 tester executables were accidentally committed. Ignore all
test binaries built by tests/Makefile, CMakeLists.txt and meson.build
so they can't be re-added by mistake.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When TG3JSON_USE_STDLIB_FPCONV is enabled (auto-selected on MSVC), the
stdlib float-formatting block in tg3json__dtoa_c() always returns, making
the manual long-double formatting fallback dead code. MSVC /W4 /WX turned
the resulting C4702 (unreachable code) into a build error.
Make the manual fallback an #else branch of the stdlib path so neither
configuration contains unreachable code, and guard the fallback-only
locals and helpers (tg3json__utoa, tg3json__write_exp,
tg3json__format_decimal_digits) under !TG3JSON_USE_STDLIB_FPCONV to avoid
unused-function/variable warnings on the stdlib path.
Verified with gcc -Wall -Wextra -Werror across all v3 C test sources in
both fpconv configurations, plus runtime runs of tester_v3_json_c.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
run 25611531122 surfaced two failures:
- Stock Ubuntu clang errored on `-Wno-pre-c11-compat` (added in newer
clang). Add `-Wno-unknown-warning-option` so older clang silently
ignores warning flags it doesn't know.
- MSVC /W4 /WX failed on C4996 (fopen deprecation). Define
`_CRT_SECURE_NO_WARNINGS` for the v3 C MSVC build; the parser uses
fopen by design and v1 already takes the same approach.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Silence the deprecation warnings reported on
https://github.com/syoyo/tinygltf/actions/runs/25610558215 by upgrading
all `actions/checkout` usages from v1/v2/v3/v4 to v5 (Node 24 runtime)
and the CodeQL actions from v2 to v3.
msys2/setup-msys2 stays at v2 — it's the latest tag.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Escalate v3 C warning levels in CI to catch latent issues:
gcc/clang now run with -Werror, clang adds -Weverything (with a
small irreducible suppression list for -Wpadded, -Wunsafe-buffer-usage,
-Wcast-align, etc.), and a new MSVC job builds tester_v3_c with /W4 /WX.
Source fixes to clear the elevated warnings:
- tg3__arena_new_block: cast through void* to silence -Wcast-align.
- tg3__value_to_json: handle TG3_VALUE_BINARY explicitly and drop the
default label so -Wswitch-enum and -Wcovered-switch-default agree.
- Drop unused tg3__json_set_value_copy.
- tinygltf_json_c.h: enumerate all tg3json_value_type cases in
tg3json_value_free / tg3json_value_copy / tg3json__stringify_value_ex.
- tester_v3_c_v1port FAIL macro: split the format/newline prints so it
no longer relies on the GNU `, ##__VA_ARGS__` extension.
Verified: clang -Werror -Weverything builds clean, 13/13 internal
tests, 18/18 v1-port tests, and 134/134 cross-version regression all
pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ci.yml now runs the v3 C suites under three Linux toolchains:
- v3-c-tests (default cc / GCC, -Wall -Wextra)
- v3-c-tests-clang (stock Ubuntu clang)
- v3-c-tests-clang21 (clang 21 from apt.llvm.org, matching local dev)
The validator helper macros TG3__IDX_BAD / TG3__CHECK_REQ /
TG3__CHECK_OPT used the GNU `, ##__VA_ARGS__` extension, which clang
flags under -Wpedantic. Every call site already passes at least one
variadic argument, so plain __VA_ARGS__ (C11) suffices.
Local verification: clang-21 -Wall -Wextra builds tester_v3_c and
tester_v3_c_v1port with zero warnings introduced by the v3 changes
(only the pre-existing tg3__json_set_value_copy unused-function
notice remains, unrelated to this work). All suites pass under gcc
13.3 and clang 21.1 alike, plus the 134-model cross-version
verifier.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ci.yml: two new jobs.
- v3-c-tests builds tester_v3_c (security regressions) and
tester_v3_c_v1port (18 ported v1 unit tests) with the default
system cc (gcc on ubuntu-latest) and runs both.
- v3-c-tests-sanitizers rebuilds the same suites under clang with
-fsanitize=address,undefined and ASAN_OPTIONS=halt_on_error=1 plus
leak detection so memory-safety regressions break CI.
c-cpp.yml: add a v3_c_tests step to build-linux so the legacy gcc
workflow also exercises the v3 C parser end-to-end.
Both invoke the parser via parse_auto with TINYGLTF3_ENABLE_FS so the
external-file paths (and the new path-traversal/file-size guards)
are exercised end-to-end.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tests/tester_v3_c_v1port.c mirrors 18 parse/load test cases from
tester.cc against the pure-C v3 runtime: parse-error, datauri-in-glb,
extension-with-empty-object, extension-overwrite, four bounds-checking
cases, glb-invalid-length, integer-out-of-bounds,
pbr-khr-texture-transform (verifies KHR_texture_transform scale via
tg3_value introspection), image-uri-spaces (single + multiple),
empty-skeleton-id, filesize-check, load-issue-416-model,
zero-sized-bin-chunk-glb, images-as-is, inverse-bind-matrices-optional,
default-material. Header comment lists tester.cc cases skipped because
they exercise the v3 writer or v1-internal helpers (out of scope).
Wiring max_external_file_size in the parser exposed by the
filesize-check port: the option was declared in tg3_parse_options but
never enforced. tg3__load_external_file now rejects loaded files larger
than the cap with TG3_ERR_FILE_TOO_LARGE and frees the buffer the fs
callback returned to avoid a leak. The 134-model verifier and the
existing tester_v3_c security regressions still pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a Security model subsection covering URI sanitization, index-bounds
validation, strict numeric ranges, the 1 GB memory budget, image-decoder
opt-out, and error message lifetime — pointing to the authoritative
Security Considerations block in tiny_gltf_v3.h.
Adds a Testing & verification subsection describing the three coverage
layers shipped with the v3 C runtime: internal regression tests in
tester_v3_c, the cross-version DIGEST verifier in test_runner.py, and
the libFuzzer harness with ASan+UBSan in tests/v3/fuzzer/.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Threat model: parser is intended for server-side processing of attacker-
supplied glTF/GLB. Two adversarial review rounds plus a 1-hour libFuzzer
run (4 workers, ASan+UBSan, ~420M execs total, zero new artifacts) drove
this set of fixes. Concrete PoCs in tests/v3/security/ confirmed each
issue was exploitable on the prior code.
Path traversal (CRITICAL): tg3__load_external_file concatenated base_dir
with the JSON-supplied URI verbatim. A glTF with
"uri":"../../../tmp/secret" successfully loaded the file from outside
base_dir (verified by FNV64 match). New tg3__uri_is_safe rejects empty,
NUL, leading / or \\, Windows drive prefixes, and any '..' segment.
Path-buffer length checks switched to saturating subtraction so 32-bit
size_t cannot wrap.
Sign-coercion in byteStride: int32_t -1 was cast directly to uint32_t,
producing 0xFFFFFFFF and propagating into downstream count*stride math.
Restrict to glTF spec range: 0 (tightly packed) or [4, 252].
Index validation: parsed int32 index fields (accessor.bufferView,
primitive.indices/material/attributes, node.mesh/skin/camera/light,
scene.nodes[], skin.joints[], animation channel/sampler refs, MSFT_lod
ids, KHR_audio emitter/source refs, etc.) were stored unchecked. New
tg3__validate_indices walks every index field and returns
TG3_ERR_INVALID_INDEX on out-of-range. Gated by
tg3_parse_options.validate_indices, defaulting to 1.
Use-after-free on parse failure (PRE-EXISTING, surfaced by ASan during
fix verification): tg3_parse and tg3_parse_glb destroyed model->arena_
on error paths, but error messages on the user-facing tg3_error_stack
were arena-allocated. Any caller reading errors.entries[i].message
after parse failure read freed memory. tg3_model_free is now sole arena
owner; arena lives across error paths so messages stay valid until the
caller frees the model.
Other fixes:
- tg3_parse_glb: hoist tg3__model_init before header parse so callers
can safely tg3_model_free on header failure.
- tg3__parse_primitive morph targets: when arena alloc returns NULL,
pair with target_counts[ti]=0 so validators do not deref.
- Defensive 'if (!tarr) continue' in the morph-target validator loop.
- New Security Considerations block in tiny_gltf_v3.h documents the
threat model, default-on validation, fs-callback contract, and error
message lifetime.
Verification: 13 internal tests in tester_v3_c (incl. 7 new security
regressions covering path traversal absolute and relative, fs-callback
no-call assertion, byteStride wrap, OOB index, opt-in raw mode, ext
fields, and arena-message lifetime), 134/134 Khronos sample models
match v1 ground truth digest, 1-hour ASan+UBSan fuzz on the final code
clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a structured DIGEST block (asset, buffers w/ FNV-1a hash, bufferViews,
accessors w/ min/max, mesh primitives w/ sorted attribute maps, nodes w/
normalized TRS+matrix, materials, textures/samplers/images, skins,
animations, cameras, scenes) emitted by both loader_example (v1) and
tester_v3_c (v3 C, now accepting a file arg). test_runner.py runs both,
diffs the digests, and reports counts/digest mismatches with v1 as truth.
Also rolls in /simplify follow-ups on top of 7f736d1: a shared
tg3__json_number_to_double helper to dedupe inline number coercions, a
collapsed fuzz_gltf_v3_c harness using a single tg3_fuzz_run dispatcher,
a rewritten max_safe_uint64_real comment explaining the 53-bit mantissa
constraint, and a tests/Makefile fix so tester_v3_c is a real prerequisite
of `all` (built once via the dedicated rule, not duplicated).
Verifier passes 134/134 on the Khronos glTF-Sample-Models/2.0 suite.
bufferView.target and image.mime_type/uri are intentionally excluded from
the digest: v1 infers target from accessor usage and rewrites image
URIs/mime via stb_image, neither of which is a parse-fidelity concern.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reject non-finite/out-of-range JSON numbers in int32/uint64 fields and
array/attribute elements instead of silently truncating, initialize the
model on parse-file failure, and free the partial JSON document when the
root is not an object. Adds a pure-C libFuzzer harness (fuzz_gltf_v3_c)
alongside the existing C++ one and tests covering the new failure modes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update README.md to describe the pure-C v3 runtime accurately, fix the JSON backend reference, and mark the new C implementation as experimental.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduce a C-first TinyGLTF v3 runtime in tiny_gltf_v3.c with a pure-C JSON backend, hook the public header to the new implementation, and add CMake/test coverage for parse and write round-trips.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
