cgltf Integer Overflow Vulnerability in Sparse Accessor Validation Leading to Heap Buffer Over-Read

A vulnerability exists in cgltf versions through 1.15, where an integer overflow occurs in the cgltf_validate() function during the validation of sparse accessors. This flaw allows attackers to manipulate size values in crafted glTF/GLB files, triggering out-of-bounds reads. The unchecked arithmetic in sparse accessor validation can cause heap buffer over-reads in cgltf_calc_index_bound(), leading to denial-of-service crashes and potential memory disclosure.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, resulting in a process crash and potential memory disclosure. The crash can be observed as a segmentation fault, indicating an invalid memory access.

Reproduction

The vulnerability can be reproduced by compiling a C program that uses the cgltf library to load a crafted GLB file with manipulated sparse accessor values. The program should be compiled with address and undefined behavior sanitizers enabled, which will highlight the out-of-bounds read as a heap buffer overflow error. The same crash occurs without these sanitizers, confirming the vulnerability independent of the sanitization context.

Remediation

Users are advised to update to cgltf version 1.16 or later, where this vulnerability has been addressed.