A crafted input leads to crash (an invalid memory address dereference) at COLLADAFWArrayPrimitiveType.h:228 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).
$ ./OpenCOLLADAValidator PoC.dae
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1944141==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55cd16f425d1 bp 0x0ab9a2e7cf3a sp 0x7fffaa0ea050 T0)
==1944141==The signal is caused by a READ memory access.
==1944141==Hint: address points to the zero page.
#0 0x55cd16f425d0 in COLLADASaxFWL::MeshPrimitiveInputList::appendInputElement(COLLADASaxFWL::InputShared*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshPrimitiveInputList.cpp:58
#1 0x55cd16f2681f in COLLADASaxFWL::MeshLoader::beginInput(COLLADASaxFWL::input____InputLocalOffset__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:1106
#2 0x55cd16cc425c in non-virtual thunk to COLLADASaxFWL::MeshLoader14::begin__input____InputLocalOffset(COLLADASaxFWL14::input____InputLocalOffset__AttributeData const&) (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x194025c)
#3 0x55cd16108812 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::elementBegin(char const*, GeneratedSaxParser::ParserAttributes const&) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:2059
#4 0x55cd16f713e0 in GeneratedSaxParser::LibxmlSaxParser::startElement(void*, unsigned char const*, unsigned char const**) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:179
#5 0x7f98b48c015e in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x4b15e)
#6 0x7f98b48c2f27 (/lib/x86_64-linux-gnu/libxml2.so.2+0x4df27)
#7 0x7f98b48c87cf in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x537cf)
#8 0x7f98b48c9f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
#9 0x55cd16f719cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
#10 0x55cd15b613ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
#11 0x55cd15b5ea3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
#12 0x55cd15aef2be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
#13 0x55cd15adf6f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
#14 0x55cd15a8bfbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
#15 0x7f98b435d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#16 0x55cd15ade8ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshPrimitiveInputList.cpp:58 in COLLADASaxFWL::MeshPrimitiveInputList::appendInputElement(COLLADASaxFWL::InputShared*)
==1944141==ABORTING
GDB info:
Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64
A crafted input leads to crash (an invalid memory address dereference) at
COLLADAFWArrayPrimitiveType.h:228in opencolladavalidatorv1.6.68(the latest version, checked on Ubuntu/Debian packages and current master).PoC: PoC.zip
Triggered by:
./OpenCOLLADAValidator PoC.daeASAN report:
GDB info:
Environment: Host Operating System and version: Ubuntu 20.04.2 LTS Host CPU architecture: x86_64