Ignore compiled test binaries

The v3 tester executables were accidentally committed. Ignore all test binaries built by tests/Makefile, CMakeLists.txt and meson.build so they can't be re-added by mistake. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Tighten README security wording
2026-06-18 13:18:50 +00:00 · 2026-06-03 21:03:45 +09:00 · 2026-06-03 20:58:55 +09:00 · 2026-06-03 20:58:55 +09:00
3 changed files with 12 additions and 20 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -70,9 +70,20 @@ imgui.ini
 *.app

 loader_example
+# Compiled test binaries (built by tests/Makefile, CMakeLists.txt, meson.build)
 tests/tester
 tests/tester_noexcept
+tests/tester_customjson
 tests/tester_intensive_customjson
+tests/tester_v3
+tests/tester_v3_c
+tests/tester_v3_c_cpp
+tests/tester_v3_c_v1port
+tests/tester_v3_c_v1port_cpp
+tests/tester_v3_freestanding
+tests/tester_v3_json_c
+tests/fuzzer/fuzz_gltf
+tests/fuzzer/fuzz_gltf_customjson
 tests/issue-97.gltf
 tests/issue-261.gltf
 tests/issue-495-external.gltf
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ v3 is a ground-up rewrite with a C-centric, low-overhead design:
 - **No RTTI, no exceptions required** — suitable for embedded and game-engine use.
 - **Opt-in filesystem and image I/O** — `TINYGLTF3_ENABLE_FS` / `TINYGLTF3_ENABLE_STB_IMAGE` are off by default; you control when and how assets are loaded.
 - **C++20 coroutine facade** (optional, auto-detected). C17/C++17 default.
- **Hardened against untrusted input** — URI sanitization, post-parse index-bounds validation (default-on, opt-out via `tg3_parse_options.validate_indices = 0`), strict numeric range checks; exercised by a libFuzzer harness and by a cross-version verifier that compares parsed output against the v1 C++ reference loader. See *Security model* below and the `Security Considerations` block at the top of `tiny_gltf_v3.h`.
+- **Hardened against untrusted input** — URI sanitization, post-parse index-bounds validation (default-on, opt-out via `tg3_parse_options.validate_indices = 0`), strict numeric range checks; exercised by a libFuzzer harness and by a cross-version verifier that compares parsed output against the v1 C++ reference loader. See the `Security Considerations` block at the top of `tiny_gltf_v3.h`.

 ### Quick start (v3)

@@ -55,21 +55,6 @@ tg3_model_free(&model);
 tg3_error_stack_free(&errors);
 ```

-### Security model (v3 C runtime)
-
-The v3 C runtime is built for processing **untrusted glTF/GLB input** (server-side asset pipelines, user uploads, etc.) and ships hardened by default:
-
- **URI sanitization** — external buffer/image URIs are rejected before any filesystem call if they are empty, contain NUL bytes, begin with `/` or `\`, look like a Windows drive prefix (`X:`), or contain a `..` segment. Production callers SHOULD still provide a custom `tg3_fs_callbacks.read_file` that confines reads to a known directory (e.g. via `openat` plus a `realpath` prefix check) when the input is attacker-controlled.
- **Index bounds validation** — every `int32_t` index field populated from JSON (accessor.bufferView, primitive.indices/material/attributes, scene.nodes[], skin.joints[], animation channel/sampler refs, KHR_audio + MSFT_lod refs, …) is checked after the structural parse. Out-of-range indices produce `TG3_ERR_INVALID_INDEX`. Default `tg3_parse_options.validate_indices = 1`; set to `0` only when you need raw round-trip and have your own validator.
- **Buffer/accessor range validation** — declared buffer lengths, bufferView ranges, accessor element spans, sparse accessor spans, component types, and overflow-prone size math are checked before returning a model.
- **Strict numeric range checks** — JSON numbers feeding integer fields go through finite/round-trip-validated coercion (`tg3__json_number_to_int32` / `_uint64`). `byteStride` is restricted to 0 or [4, 252].
- **Memory budget** — the arena and C JSON parser enforce `TINYGLTF3_MAX_MEMORY_BYTES` by default; `max_single_alloc` and `TINYGLTF3_MAX_STRING_LENGTH` bound individual allocation and string size.
- **Opt-in fast paths** — `skip_extras_values` avoids materializing `extras` and unknown extension value trees, and `borrow_input_buffers` lets GLB buffer spans reference caller-owned input bytes instead of copying the BIN chunk.
- **Image decoding off by default** — the parser does not decode image bytes; use `tg3_parse_options.images_as_is = 1` to skip any decoder entirely when handling untrusted input.
- **Error message lifetime** — error strings on `tg3_error_stack` are arena-allocated and remain valid until `tg3_model_free()`. Read or copy them BEFORE freeing the model.
-
-See the `Security Considerations` block at the top of `tiny_gltf_v3.h` for the authoritative threat-model summary.
-
 ### Testing & verification

 The v3 C runtime ships with three layers of automated coverage:
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,4 +0,0 @@
-# Security Policy
-
-This project manages CVE assignments exclusively through
-GitHub Security Advisories.
Author	SHA1	Message	Date
Syoyo Fujita	a434ee0206	Ignore compiled test binaries The v3 tester executables were accidentally committed. Ignore all test binaries built by tests/Makefile, CMakeLists.txt and meson.build so they can't be re-added by mistake. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-03 21:03:45 +09:00
copilot-swe-agent[bot]	7c257a60e3	Tighten README security wording	2026-06-03 20:58:55 +09:00
copilot-swe-agent[bot]	3986f89de0	Remove security docs	2026-06-03 20:58:55 +09:00