From 1cb6d2f3efd2557ab16e128362308562aa05d94a Mon Sep 17 00:00:00 2001 From: mohammadmseet-hue Date: Thu, 2 Apr 2026 07:33:17 +0200 Subject: [PATCH] fix: validate face vertex indices against num_points in sequential decoder The sequential mesh decoder reads face vertex indices from the bitstream without validating that they fall within [0, num_points). When a crafted Draco file contains face indices exceeding num_points, subsequent attribute access via these indices causes out-of-bounds heap reads (and potentially writes during attribute deduplication or other operations). ASan confirms the OOB: ERROR: AddressSanitizer: heap-buffer-overflow READ of size 12 at is located 1128 bytes after 72-byte region This affects all four index decoding paths (uint8, uint16, uint32 varint, uint32 direct) and the compressed index path (DecodeAndDecompressIndices). Fix: add a validation pass after decoding connectivity that checks all face vertex indices are within the valid range [0, num_points). --- src/draco/compression/mesh/mesh_sequential_decoder.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/draco/compression/mesh/mesh_sequential_decoder.cc b/src/draco/compression/mesh/mesh_sequential_decoder.cc index 124df3345..aab1b1a4f 100644 --- a/src/draco/compression/mesh/mesh_sequential_decoder.cc +++ b/src/draco/compression/mesh/mesh_sequential_decoder.cc @@ -125,6 +125,16 @@ bool MeshSequentialDecoder::DecodeConnectivity() { } } point_cloud()->set_num_points(num_points); + + // Validate that all face vertex indices are within [0, num_points). + for (draco::FaceIndex fi(0); fi < mesh()->num_faces(); ++fi) { + const auto &face = mesh()->face(fi); + for (int j = 0; j < 3; ++j) { + if (face[j].value() >= num_points) { + return false; + } + } + } return true; }