Assimp NULL Pointer Dereference Vulnerability in FBX Mesh Geometry Parser Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in Assimp version 6.0.2 within the FBX importer, specifically in the 'MeshGeometry::MeshGeometry' function. This issue allows remote attackers to cause a denial-of-service by crafting an FBX file that includes a 'Layer' element with an empty token list. When this file is imported, the parser dereferences the first token without checking if the list is non-empty, leading to a crash.

Impact

Exploitation of this vulnerability causes a deterministic crash of the application importing the crafted FBX file, disrupting the import process and causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using a binary of Assimp that has been built with AddressSanitizer (ASAN) enabled, along with GDB for debugging. After compiling Assimp with these tools, the FBX fuzzer can be used to import a crafted FBX file that contains a 'Layer' element with no tokens. This will trigger the NULL pointer dereference in the 'MeshGeometry::MeshGeometry' function, causing the application to crash. The issue can be verified by observing the crash in GDB, where the top frame will indicate that the crash occurred in the FBX mesh geometry parser, specifically at the point where the empty token list was accessed without proper validation.

Remediation

Users are advised to update to a version of Assimp that includes the fix for this vulnerability. The specific version number is currently unknown.