Open CASCADE Technology VRML V2.0 Parser Out-of-Bounds Read Vulnerability

A memory safety vulnerability allowing for out-of-bounds reads has been identified in the VRML V2.0 parser of Open CASCADE Technology (OCCT) versions through 7.8.1 and the master branch prior to commit c540f316. The issue arises in the 'libTKDEVRML.so' component, specifically within the 'VrmlData_IndexedFaceSet::TShape' function. Attackers can exploit this vulnerability by crafting a VRML file that triggers the dereference of a corrupt or unvalidated pointer during shape construction, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds read, which can potentially be leveraged for a more severe attack, such as arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using a crafted VRML file that includes malformed 'coordIndex' values. This can be done by creating a VRML file that manipulates the indexing in a way that bypasses the normal validation checks, such as using negative values or values that exceed the available coordinate count. When this file is processed by the OCCT VRML parser, it will trigger the out-of-bounds read by accessing memory locations outside of the allocated buffer, which can be confirmed using AddressSanitizer (ASAN).

Remediation

Users are advised to update to the latest version of Open CASCADE Technology, where this vulnerability has been addressed.