Skip to content

Fix memory safety bugs in PLY, OBJ, and STL decoders#1176

Open
sharadboni wants to merge 2 commits intogoogle:mainfrom
sharadboni:fix-ply-obj-stl-memory-safety
Open

Fix memory safety bugs in PLY, OBJ, and STL decoders#1176
sharadboni wants to merge 2 commits intogoogle:mainfrom
sharadboni:fix-ply-obj-stl-memory-safety

Conversation

@sharadboni
Copy link
Copy Markdown

@sharadboni sharadboni commented Apr 15, 2026

Summary

This PR fixes three memory safety vulnerabilities in Draco's mesh file decoders:

1. PLY heap-buffer-overflow in ply_reader.cc

In ParseElementData, the num_entries field of a list property is read from attacker-controlled input and used to compute num_bytes_to_read without validating against the remaining buffer size. A crafted PLY file with a large list count causes an out-of-bounds read past the input buffer via the prop.data_.insert(... buffer->data_head() + num_bytes_to_read) call.

Fix: Added bounds check that num_entries >= 0 and num_bytes_to_read <= buffer->remaining_size() before the insert.

2. OBJ negative-index integer underflow in obj_decoder.cc

OBJ files support negative vertex indices (e.g., f -1 -2 -3) which are relative to the current vertex count. However, there was no validation that |index| <= count. A crafted file like f -99999 with only a few vertices causes num_positions_ + indices[0] to underflow to a huge value, producing an out-of-range AttributeValueIndex.

Fix: Added validation that -indices[i] <= num_positions_ (and similarly for tex coords and normals) for negative indices, returning an error status on violation.

3. STL unchecked Decode return values in stl_decoder.cc

In DecodeFromBuffer, all calls to buffer->Decode() had their boolean return values ignored. A truncated binary STL file causes reads past the end of the buffer without any error reporting.

Fix: Check return values of Decode() and remaining_size() before each buffer operation, returning descriptive IO_ERROR status on truncated input.

Test plan

  • Verify existing draco unit tests still pass
  • Test with crafted PLY file containing oversized list count
  • Test with OBJ file containing out-of-range negative indices (e.g., f -99999)
  • Test with truncated binary STL file (< 84 bytes)

@sharadboni
Fix memory safety bugs in PLY, OBJ, and STL decoders
73b5d88 
1. PLY heap-buffer-overflow: Add bounds check on attacker-controlled
   num_entries in ParseElementData before reading list property data.
   A crafted PLY file with a large list count can read past the end of
   the input buffer.

2. OBJ negative-index integer underflow: Validate that the absolute
   value of negative vertex/texcoord/normal indices does not exceed
   the number of parsed elements. A crafted OBJ like "f -99999" with
   few vertices causes num_positions_ + indices[0] to underflow,
   producing a huge AttributeValueIndex.

3. STL unchecked Decode returns: Check return values of
   DecoderBuffer::Decode() in the binary STL parser. A truncated STL
   file causes reads past the buffer without any error.
@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 15, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@sharadboni
Copy link
Copy Markdown
Author

sharadboni commented Apr 15, 2026

@jzern Could you review this security fix? It addresses a heap-buffer-overflow in the PLY parser, an integer underflow in the OBJ parser, and unchecked return values in the STL decoder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sharadboni