Open CASCADE Technology VRML Parser Out-of-Bounds Read Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in the VRML parser of Open CASCADE Technology (OCCT) version 8.0.0 release candidate 5. The issue arises from an out-of-bounds read in the 'VrmlData_IndexedLineSet::TShape' function. Attackers can exploit this vulnerability by using a crafted VRML file. The problem occurs because 'coordIndex' values from the parsed input are used as direct indices for arrays without proper validation against the size of the coordinate array, leading to memory safety issues.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds read, which can potentially be exploited to read sensitive information from memory or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using a VRML file that contains crafted 'coordIndex' values. This can be done by creating a VRML file that exploits the lack of bounds checking in the 'VrmlData_IndexedLineSet::TShape' function. The crafted file should be designed to trigger the out-of-bounds read by including index values that are out of range for the corresponding coordinate array.

Remediation

Users are advised to update to a version of Open CASCADE Technology that includes the necessary bounds checks for 'coordIndex' and 'normalIndex' values in the VRML parser.