Validation of input lengths must be performed by comparing the length with the remainder of the input data; the latter can be safely computed because we validate the remainder after every step incrementally.
Before this change, length validation was doing math in 32-bit space and could thus overflow, exposing data after the input buffer to the parser.
This was always a problem on 32-bit systems; it only became a problem on 64-bit systems after the VLA change, as before it GlbHeaderSize et al had type cgltf_size.
Found by fuzzing. Regression (on 64-bit systems) since #238.
Validation of input lengths must be performed by comparing the length with the remainder of the input data; the latter can be safely computed because we validate the remainder after every step incrementally.
Before this change, length validation was doing math in 32-bit space and could thus overflow, exposing data after the input buffer to the parser.
This was always a problem on 32-bit systems; it only became a problem on 64-bit systems after the VLA change, as before it GlbHeaderSize et al had type cgltf_size.
Found by fuzzing. Regression (on 64-bit systems) since #238.