search

jw007123 / hp-Adaptive-Signed-Distance-Field-Octree

Multi-threaded SDF generation via hp approximation in C++
https://www.animation.rwth-aachen.de/media/papers/2017-TVCG-HPDistanceFields.pdf
MIT License
10 stars 1 forks source link

Buffer overflow and stack smashing when loading .obj files with empty comments. #3

Closed AlgoryxMartinN closed 7 months ago

AlgoryxMartinN commented 7 months ago

In ObjParser.cpp, in ParseLine, there is a loop that determine the identifier for the the current line by searching for the first space. If there is no space then then the loop will copy an indefinite amount of bytes, overwrite the stack-allocated buffer, and garbage the stack frame including the return address.

First few lines of an example .obj file that crashes, notice the lines that are just a single # and then nothing more:

#
# Object file
# Created by SpaceClaim
#

Possible fix:

         // Determine identifier
-        while (lineBuff_[pos] != ' ')
+        while (lineBuff_[pos] != ' ' && lineBuff_[pos] != '\0' && pos < sizeof(type))
         {
             type[pos] = lineBuff_[pos];
             pos++;
         }
-        
+        type[sizeof(type) - 1] = '\0';
jw007123 commented 7 months ago

The obj parser is just supposed to be pretty basic and really just a way of getting basic meshes in to test. There's no doubt far, far better ones out there (or switch to gltf!) that will do the job just fine. I'm happy to make a small bug fix for this because why not, but don't expect anything jaw-dropping!

AlgoryxMartinN commented 7 months ago

Yeah, I know. I switched to another parser because of other features I need, but with this fix the obj parser could read all the meshes I have so I figured I might as well share what I changed. I don't have a clean working copy I can create a pull request from, but I can set that up if it makes it easier for you.