Assimp HL1MDLLoader堆缓冲区溢出漏洞详情及PoC

漏洞概述 漏洞名称: Heap Buffer Overflow in Assimp HL1MDLLoader::read_animations() 漏洞编号: #6615 状态: Open 标签: Bug, Fuzzer, MDL, Animation 报告者: TYGLS 报告时间: Apr 29 影响范围 受影响组件: Assimp MDL::HalfLife::HL1MDLLoader::read_animations() 漏洞类型: Heap Buffer Overflow 具体描述: 解析半条命1 MDL文件时，解析器分配了一个大小为1的数组，但写入了第二个元素，导致越界写入。代码缺乏边界验证，导致崩溃。 修复方案 当前状态: 未修复 建议措施: 增加边界验证，确保数组写入操作不会超出分配的大小。 POC代码 ASAN报告 ```plaintext INFO: Running with entropy power schedule (0xFF, 100). INFO: Seed: 3465220298 ./fuzzers/assimp_fuzzer: Running 1 inputs 1 time(s) each. Running: /crash/re/poc.mdl ================================================================= ==100607==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000518 at pc 0x5efa8cb07f22 bp 0x7ffcb WRITE of size 8 at 0x502000000518 thread T0 #0 0x5efa8cb0ff1 in Assimp::MDL::HalfLife::HL1MDLLoader::read_animations() /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL/MDL.cpp:398 #1 0x5efa8cb0a3f5 in Assimp::MDL::HalfLife::HL1MDLLoader::load_file() /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #2 0x5efa8cb0aa27 in Assimp::MDL::HalfLife::HL1MDLLoader::HL1MDLLoader(aiScene, Assimp::IOSystem, unsigned int) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #3 0x5efa8cb02384 in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #4 0x5efa8cb0464e in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #5 0x5efa8cb002ba in Assimp::BaseImporter::ReadFile(Assimp::Importer, std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem) /fuzz/project/assimp/code/Common/BaseImporter.cpp:40 #6 0x5efa8cb0008a in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #7 0x5efa8cb00260 in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #8 0x5efa8cb02384 in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #9 0x5efa8cb0464e in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #10 0x5efa8cb002ba in Assimp::BaseImporter::ReadFile(Assimp::Importer, std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem) /fuzz/project/assimp/code/Common/BaseImporter.cpp:40 #11 0x5efa8cb0008a in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #12 0x5efa8cb00260 in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #13 0x5efa8cb02384 in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #14 0x5efa8cb0464e in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #15 0x5efa8cb002ba in Assimp::BaseImporter::ReadFile(Assimp::Importer, std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem) /fuzz/project/assimp/code/Common/BaseImporter.cpp:40 #16 0x5efa8cb0008a in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #17 0x5efa8cb00260 in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #18 0x5efa8cb02384 in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #19 0x5efa8cb0464e in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:398 #20 0x5efa8cb002ba in Assimp::BaseImporter::ReadFile(Assimp::Importer, std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem) /fuzz/project/assimp/code/Common/BaseImporter.cpp:40 #21 0x5efa8cb0008a in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #22 0x5efa8cb00260 in Assimp::Importer::ReadFileFromMemory(void const, unsigned long, unsigned int, char const) /fuzz/project/assimp/code/Common/Importer.cpp:824 #23 0x5efa8cb02384 in Assimp::MDLImporter::InternReadFile(std::__cxx11::basic_string, std::allocator > const&, Assimp::IOSystem, aiScene) /fuzz/project/assimp/code/AssetLib/MDL/MDL/MDL.cpp:

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

Assimp HL1MDLLoader堆缓冲区溢出漏洞详情及PoC

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Assimp HL1MDLLoader堆缓冲区溢出漏洞详情及PoC

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！