Bug: Out-of-bounds Read in Assimp::ASEImporter::BuildUniqueRepresentation #6021
Comments
|
Please add "Fuzzer" label |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Out-of-bounds Read in
Assimp::ASEImporter::BuildUniqueRepresentation. An attacker could potentially exploit the vulnerability to cause a remote code execution, if they can trick the victim into running assimp on a malformed ASE file.Affected
assimp>=5.4.3
Details
In
code/AssetLib/ASE/ASELoader.cpp:734, there is no boundary validation for(*i).mIndices[n]value, which cause OOB Read inmesh.mPositionsPoC
Sanitizer Report
================================================================= ==926952==ERROR: AddressSanitizer: SEGV on unknown address 0x0001ffff7ffe (pc 0x5560ebc4dcd2 bp 0x7ffdc4210ff0 sp 0x7ffdc42107b8 T0) ==926952==The signal is caused by a READ memory access. #0 0x5560ebc4dcd2 in __asan::QuickCheckForUnpoisonedRegion(unsigned long, unsigned long) asan_interceptors_memintrinsics.cpp.o #1 0x5560ebc4db8a in __asan_memcpy (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x455b8a) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01) #2 0x5560ec429d62 in Assimp::ASEImporter::BuildUniqueRepresentation(Assimp::ASE::Mesh&) /workspace/assimp_fuzzer/assimp_asan/code/AssetLib/ASE/ASELoader.cpp:734:34 #3 0x5560ec427e04 in Assimp::ASEImporter::InternReadFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, aiScene*, Assimp::IOSystem*) /workspace/assimp_fuzzer/assimp_asan/code/AssetLib/ASE/ASELoader.cpp:171:13 #4 0x5560ec215a12 in Assimp::BaseImporter::ReadFile(Assimp::Importer*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Assimp::IOSystem*) /workspace/assimp_fuzzer/assimp_asan/code/Common/BaseImporter.cpp:131:9 #5 0x5560ebc907e4 in Assimp::Importer::ReadFile(char const*, unsigned int) /workspace/assimp_fuzzer/assimp_asan/code/Common/Importer.cpp:709:30 #6 0x5560ebc8e0a2 in Assimp::Importer::ReadFileFromMemory(void const*, unsigned long, unsigned int, char const*) /workspace/assimp_fuzzer/assimp_asan/code/Common/Importer.cpp:507:9 #7 0x5560ebc89717 in LLVMFuzzerTestOneInput (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x491717) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01) #8 0x5560ebbb2203 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3ba203) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01) #9 0x5560ebb9bf7f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3a3f7f) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01) #10 0x5560ebba1cd6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3a9cd6) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01) #11 0x5560ebbcbaf2 in main (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3d3af2) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01) #12 0x7efeebff8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #13 0x7efeebff8e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #14 0x5560ebb96844 in _start (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x39e844) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV asan_interceptors_memintrinsics.cpp.o in __asan::QuickCheckForUnpoisonedRegion(unsigned long, unsigned long) ==926952==ABORTINGCommon weakness enumerator (CWE)
The text was updated successfully, but these errors were encountered: