fix: validate face vertex indices in sequential decoder to prevent OOB access

[mohammadmseet-hue]

Summary

The sequential mesh decoder reads face vertex indices from the Draco bitstream without validating that they fall within [0, num_points). When a crafted Draco file contains out-of-range indices, attribute access via GeometryAttribute::GetValue() causes an out-of-bounds heap read.

ASan Proof

==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 12 at 0x507000000540 thread T0
    #0 in memcpy
    #1 in draco::DataBuffer::Read (data_buffer.h:48)
    #2 in draco::GeometryAttribute::GetValue (geometry_attribute.h:138)

0x507000000540 is located 1128 bytes after 72-byte region [0x507000000090,0x5070000000d8)

A 72-byte attribute buffer (6 points × 12 bytes) was accessed at index 100 (offset 1200) — 1128 bytes past the end.

Root Cause

mesh_sequential_decoder.cc lines 74-125: all four index decoding paths (uint8, uint16, uint32 varint, uint32 direct) store indices from the stream into face[j] without checking val < num_points. The compressed index path (DecodeAndDecompressIndices) has the same issue.

Impact

Any application that decodes attacker-provided .drc files is affected. The OOB read can leak heap data. Combined with attribute write operations (deduplication, transforms), this could potentially become an OOB write.

Fix

Added a validation pass after decoding connectivity that checks all face vertex indices are within [0, num_points).

Separate from PR #1166

This is a different root cause from the integer overflow in PR #1166:

• PR fix: integer overflow in face/point count multiplications → heap overflow #1166: num_faces * 3 overflow → wrong allocation size → heap overflow (WRITE)
• This PR: unvalidated face indices → OOB attribute access (READ)

[mohammadmseet-hue]

ASan Confirmation

Built with -fsanitize=address and confirmed the out-of-bounds heap read:

==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x507000000540
READ of size 12 at 0x507000000540 thread T0
    #0 in memcpy
    #1 in draco::DataBuffer::Read (data_buffer.h:48)
    #2 in draco::GeometryAttribute::GetValue (geometry_attribute.h:138)
    #3 in main poc_index_oob.cc:70

0x507000000540 is located 1128 bytes after 72-byte region [0x507000000090,0x5070000000d8)
allocated by thread T0 here:
    #0 in operator new(unsigned long)
    #1 in std::__new_allocator<unsigned char>::allocate
    ...
    #8 in draco::PointAttribute::Reset (point_attribute.cc:71)
    #9 in draco::PointCloud::CreateAttribute (point_cloud.cc:167)
    #10 in draco::PointCloud::AddAttribute (point_cloud.cc:142)

SUMMARY: AddressSanitizer: heap-buffer-overflow in memcpy

The 72-byte attribute buffer (6 points × 12 bytes/entry) was accessed at index 100 (offset 1200) — 1128 bytes past the buffer end. The face vertex index 100 was stored without validation against num_points=6.