Open Asset Import Library Assimp Out-of-Bounds Read Vulnerability in AC3D File Handler

A critical out-of-bounds read vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3 and later. The issue arises in the AC3D File Handler component, specifically within the 'Assimp::AC3DImporter::ConvertObjectSection' function. The vulnerability allows for an out-of-bounds read of 'object.vertices' due to a lack of validation for 'src.entries'. This flaw could potentially be exploited to execute remote code, particularly if a user is tricked into processing a maliciously crafted AC3D file with Assimp.

Impact

Exploitation of this vulnerability leads to a memory access violation, causing a segmentation fault. However, such out-of-bounds read vulnerabilities can often be leveraged to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by building Assimp with address sanitizer enabled, which will highlight memory access violations. After compiling Assimp as a static library with the necessary flags, a fuzzer can be used to generate input that triggers the out-of-bounds read. The fuzzer can be crafted to include large values in 'src.entries' that bypass the expected bounds, causing the 'ConvertObjectSection' function to read beyond the allocated memory for 'object.vertices'.