Open Asset Import Library Assimp Heap Out-of-Bounds Read Vulnerability in HL1MDLLoader

A heap out-of-bounds read vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3. The issue arises in the function HL1MDLLoader::validate_header within the file HL1MDLLoader.cpp. This vulnerability occurs because the function does not properly check the size of the read file before accessing the buffer, leading to an out-of-bounds memory read. The vulnerability can be exploited locally, and a proof-of-concept exploit is publicly available.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by building the Assimp library with AddressSanitizer (ASAN) enabled, which is the same configuration used by the OSS-Fuzz project's fuzzer. After compiling the library, the Assimp fuzzer can be run with a crafted input file that triggers the out-of-bounds read by the HL1MDLLoader's header validation function. This process can be automated as part of a fuzzing campaign.