Bug
MeshEdgebreakerDecoderImpl::DecodeConnectivity() in
mesh_edgebreaker_decoder_impl.cc:380 reads num_faces from untrusted
input and passes it directly to vector::reserve() without any
upper-bound validation.
A crafted 61-byte Draco file causes attempted allocation of 3.4+ GB,
crashing any application that decodes untrusted .drc files.
PoC
Base64: RFJBQ08BAAEBXQEBAAB9AAAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMAAA==
Impact
Denial of service. Any application using Draco to decode untrusted
mesh data (web browsers via WebAssembly, 3D viewers, game engines)
can be crashed with minimal input.
Suggested Fix
Cap num_faces and num_points against available buffer size before
calling reserve().
Found via fuzzing with AddressSanitizer.
Bug
MeshEdgebreakerDecoderImpl::DecodeConnectivity()inmesh_edgebreaker_decoder_impl.cc:380readsnum_facesfrom untrustedinput and passes it directly to
vector::reserve()without anyupper-bound validation.
A crafted 61-byte Draco file causes attempted allocation of 3.4+ GB,
crashing any application that decodes untrusted
.drcfiles.PoC
Base64: RFJBQ08BAAEBXQEBAAB9AAAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMAAA==
Impact
Denial of service. Any application using Draco to decode untrusted
mesh data (web browsers via WebAssembly, 3D viewers, game engines)
can be crashed with minimal input.
Suggested Fix
Cap
num_facesandnum_pointsagainst available buffer size beforecalling
reserve().Found via fuzzing with AddressSanitizer.