Open Asset Import Library Assimp Out-of-Bounds Read Vulnerability in MDC Importer

A heap-based out-of-bounds read vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3. The issue arises in the MDCImporter::ValidateSurfaceHeader function within the MDCLoader.cpp file. The vulnerability is caused by inadequate validation of the surface header, specifically the 'ulOffsetEnd' field, which can lead to reading memory beyond the intended buffer. This flaw was discovered through fuzzing and is exploitable in a local environment.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by building the Assimp fuzzer with AddressSanitizer (ASAN) enabled, similar to the setup used by OSS-Fuzz. After compiling the library, the fuzzer can be run with a crafted input that triggers the out-of-bounds read during the MDC file processing. This input can be found in the issue discussion on the Assimp GitHub repository.