Assimp Denial-of-Service Vulnerability in FBX Multi-Material Mesh Conversion

A denial-of-service vulnerability has been identified in Assimp version 6.0.2. The issue arises in the FBX importer, specifically within the 'FBXConverter::ConvertMeshMultiMaterial' method. The vulnerability allows remote attackers to cause excessive memory allocation by crafting FBX files with oversized face index counts. This uncontrolled memory allocation can lead to out-of-memory errors or allocation failures, terminating the mesh importing process.

Impact

Exploitation of this vulnerability causes excessive memory allocation, leading to out-of-memory errors or allocation failures that terminate the importing process.

Reproduction

To reproduce this vulnerability, build Assimp 6.0.2 with the FBX importer enabled. Then, import a crafted FBX file that has oversized face index counts for a multi-material mesh. This will trigger the 'FBXConverter::ConvertMeshMultiMaterial' method, where the inflated vertex count is used to allocate mesh arrays, causing excessive memory use or process termination.

Remediation

It is recommended to validate face index counts before they are summed into allocation sizes, enforce upper limits on generated vertex and face counts, and reject malformed FBX meshes that exceed certain thresholds. Adding regression tests for oversized face index counts in multi-material meshes could also help prevent this issue.