USDZ (or other zipFile) parsing has undefined behavior and can cause buffer over-flow/run #1579
Comments
|
Filed as internal issue #USD-6818 |
lkerley
pushed a commit
to imageworks/USD
that referenced
this issue
Jan 7, 2022
where default-constructed structs may incorrectly be detected as valid if their signature field happened to be initialized with a value that matched the expected signature. This initial fix for this issue was provided by @marsupial in PR PixarAnimationStudios#1578. Fixes PixarAnimationStudios#1579 (Internal change: 2206828)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm no expert in how, but it seems like you could craft a malicious usdz or two that exploits these issues and does bad things?
Undefined behavior:
_ReadLocalFileHeader can early exit many times on failure, and returns a default constructed _LocalFileHeader
The signature field of that _LocalFileHeader; however, is un-initialized and could wind up containing the proper magic which will make _LocalFileHeader::IsValid return true.
Buffer over-run/flow:
Dereferencing an invalid Iterator, will try to construct a
std::stringwith an undefined memory location and size. Case can be made that if the Iterator is bad/end then it shouldn't be dereferenced, but combined with the above, one can even get an invalid Iterator that would appear to the user as valid (!= end()) from Iterator::Iterator or Iterator::operator++The text was updated successfully, but these errors were encountered: