packages/assimp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-48423,CVE-2024-48424 and CVE-2024-53425

Browse Source
This commit is contained in:
starlet-dx 2025-02-11 15:57:02 +08:00
parent 96d7135eda
commit 53b79c08b1
6 changed files with 470 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
CVE-2024-48423-pre-Fix-leak-5762.patch Normal file
View File

@ -0,0 +1,133 @@
From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Sat, 7 Sep 2024 21:02:34 +0200
Subject: [PATCH] Fix leak (#5762)
* Fix leak
* Update utLogger.cpp
---
code/Common/Assimp.cpp | 13 ++++++---
fuzz/assimp_fuzzer.cc | 2 +-
test/CMakeLists.txt | 1 +
test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++
4 files changed, 63 insertions(+), 5 deletions(-)
create mode 100644 test/unit/Common/utLogger.cpp
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index ef3ee7b5d8..91896e4059 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) {
s->write(msg);
}
+static LogStream *DefaultStream = nullptr;
+
// ------------------------------------------------------------------------------------------------
ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) {
aiLogStream sout;
ASSIMP_BEGIN_EXCEPTION_REGION();
- LogStream *stream = LogStream::createDefaultStream(pStream, file);
- if (!stream) {
+ if (DefaultStream == nullptr) {
+ DefaultStream = LogStream::createDefaultStream(pStream, file);
+ }
+
+ if (!DefaultStream) {
sout.callback = nullptr;
sout.user = nullptr;
} else {
sout.callback = &CallbackToLogRedirector;
- sout.user = (char *)stream;
+ sout.user = (char *)DefaultStream;
}
- gPredefinedStreams.push_back(stream);
+ gPredefinedStreams.push_back(DefaultStream);
ASSIMP_END_EXCEPTION_REGION(aiLogStream);
return sout;
}
diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc
index 8178674e82..91ffd9d692 100644
--- a/fuzz/assimp_fuzzer.cc
+++ b/fuzz/assimp_fuzzer.cc
@@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
using namespace Assimp;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) {
- aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL);
+ aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
aiAttachLogStream(&stream);
Importer importer;
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 7b7fd850ae..1a45adac7e 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -100,6 +100,7 @@ SET( COMMON
unit/Common/utBase64.cpp
unit/Common/utHash.cpp
unit/Common/utBaseProcess.cpp
+ unit/Common/utLogger.cpp
)
SET(Geometry
diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp
new file mode 100644
index 0000000000..932240a7f6
--- /dev/null
+++ b/test/unit/Common/utLogger.cpp
@@ -0,0 +1,52 @@
+/*
+---------------------------------------------------------------------------
+Open Asset Import Library (assimp)
+---------------------------------------------------------------------------
+
+Copyright (c) 2006-2024, assimp team
+
+All rights reserved.
+
+Redistribution and use of this software in source and binary forms,
+with or without modification, are permitted provided that the following
+conditions are met:
+
+* Redistributions of source code must retain the above
+copyright notice, this list of conditions and the
+following disclaimer.
+
+* Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the
+following disclaimer in the documentation and/or other
+materials provided with the distribution.
+
+* Neither the name of the assimp team, nor the names of its
+contributors may be used to endorse or promote products
+derived from this software without specific prior
+written permission of the assimp team.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+---------------------------------------------------------------------------
+*/
+
+#include "UnitTestPCH.h"
+#include <assimp/Importer.hpp>
+
+using namespace Assimp;
+class utLogger : public ::testing::Test {};
+
+TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) {
+ aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ ASSERT_EQ(stream1.callback, stream2.callback);
+}

34
CVE-2024-48423.patch Normal file
View File

@ -0,0 +1,34 @@
From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Wed, 11 Dec 2024 12:17:14 +0200
Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918)
The heap-use-after-free vulnerability occurs in the
CallbackToLogRedirector function. During the process of logging,
a previously freed memory region is accessed, leading to a
use-after-free condition. This vulnerability stems from incorrect
memory management, specifically, freeing a log stream and then
attempting to access it later on.
This patch sets NULL value for The DefaultStream global pointer.
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
code/Common/Assimp.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index 91896e4059..22e16bd36a 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) {
DefaultLogger::get()->detachStream(it->second);
delete it->second;
+ if ((Assimp::LogStream *)stream->user == DefaultStream) {
+ DefaultStream = nullptr;
+ }
+
gActiveLogStreams.erase(it);
if (gActiveLogStreams.empty()) {

59
CVE-2024-48424.patch Normal file
View File

@ -0,0 +1,59 @@
From 2b773f0f5a726c38dda72307b5311c14fc3a76ae Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Mon, 16 Dec 2024 23:48:45 +0200
Subject: [PATCH] Fix heap-buffer-overflow in OpenDDLParser (#5919)
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
contrib/openddlparser/code/OpenDDLParser.cpp | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp
index 3d7dce45ec..26591b5ec8 100644
--- a/contrib/openddlparser/code/OpenDDLParser.cpp
+++ b/contrib/openddlparser/code/OpenDDLParser.cpp
@@ -74,12 +74,11 @@ const char *getTypeToken(Value::ValueType type) {
return Grammar::PrimitiveTypeToken[(size_t)type];
}
-static void logInvalidTokenError(const char *in, const std::string &exp, OpenDDLParser::logCallback callback) {
- if (callback) {
- std::string full(in);
- std::string part(full.substr(0, 50));
+static void logInvalidTokenError(const std::string &in, const std::string &exp, OpenDDLParser::logCallback callback) {
+ if (callback) {\
+ std::string part(in.substr(0, 50));
std::stringstream stream;
- stream << "Invalid token \"" << *in << "\" "
+ stream << "Invalid token \"" << in << "\" "
<< "(expected \"" << exp << "\") "
<< "in: \"" << part << "\"";
callback(ddl_error_msg, stream.str());
@@ -306,7 +305,7 @@ char *OpenDDLParser::parseHeader(char *in, char *end) {
}
if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) {
- logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback);
+ logInvalidTokenError(std::string(in, end), Grammar::ClosePropertyToken, m_logCallback);
return nullptr;
}
@@ -355,8 +354,7 @@ char *OpenDDLParser::parseStructure(char *in, char *end) {
++in;
}
} else {
- ++in;
- logInvalidTokenError(in, std::string(Grammar::OpenBracketToken), m_logCallback);
+ logInvalidTokenError(std::string(in, end), std::string(Grammar::OpenBracketToken), m_logCallback);
error = true;
return nullptr;
}
@@ -427,7 +425,7 @@ char *OpenDDLParser::parseStructureBody(char *in, char *end, bool &error) {
in = lookForNextToken(in, end);
if (in == end || *in != '}') {
- logInvalidTokenError(in == end ? "" : in, std::string(Grammar::CloseBracketToken), m_logCallback);
+ logInvalidTokenError(std::string(in, end), std::string(Grammar::CloseBracketToken), m_logCallback);
return nullptr;
} else {
//in++;

196
CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch Normal file
View File

@ -0,0 +1,196 @@
From d7cde433679a6e21e0a5f22e54ea0951783503fe Mon Sep 17 00:00:00 2001
From: Kim Kulling <kim.kullingk@draeger.com>
Date: Mon, 2 Oct 2023 10:24:43 +0200
Subject: [PATCH] Fix: Add check for invalid input argument
---
code/AssetLib/MD5/MD5Parser.cpp | 10 +++---
code/AssetLib/MD5/MD5Parser.h | 62 ++++++++++++++++++---------------
2 files changed, 38 insertions(+), 34 deletions(-)
diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp
index 7d0b41c24a..8da30e28f7 100644
--- a/code/AssetLib/MD5/MD5Parser.cpp
+++ b/code/AssetLib/MD5/MD5Parser.cpp
@@ -3,7 +3,7 @@
Open Asset Import Library (assimp)
---------------------------------------------------------------------------
-Copyright (c) 2006-2022, assimp team
+Copyright (c) 2006-2023, assimp team
All rights reserved.
@@ -87,7 +87,7 @@ MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) : buffer(_buffer), b
// ------------------------------------------------------------------------------------------------
// Report error to the log stream
-/*static*/ AI_WONT_RETURN void MD5Parser::ReportError(const char *error, unsigned int line) {
+AI_WONT_RETURN void MD5Parser::ReportError(const char *error, unsigned int line) {
char szBuffer[1024];
::ai_snprintf(szBuffer, 1024, "[MD5] Line %u: %s", line, error);
throw DeadlyImportError(szBuffer);
@@ -95,7 +95,7 @@ MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) : buffer(_buffer), b
// ------------------------------------------------------------------------------------------------
// Report warning to the log stream
-/*static*/ void MD5Parser::ReportWarning(const char *warn, unsigned int line) {
+void MD5Parser::ReportWarning(const char *warn, unsigned int line) {
char szBuffer[1024];
::snprintf(szBuffer, sizeof(szBuffer), "[MD5] Line %u: %s", line, warn);
ASSIMP_LOG_WARN(szBuffer);
@@ -122,8 +122,8 @@ void MD5Parser::ParseHeader() {
// print the command line options to the console
// FIX: can break the log length limit, so we need to be careful
char *sz = buffer;
- while (!IsLineEnd(*buffer++))
- ;
+ while (!IsLineEnd(*buffer++));
+
ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz))));
SkipSpacesAndLineEnd();
}
diff --git a/code/AssetLib/MD5/MD5Parser.h b/code/AssetLib/MD5/MD5Parser.h
index ad7367e2ab..9b29fbe851 100644
--- a/code/AssetLib/MD5/MD5Parser.h
+++ b/code/AssetLib/MD5/MD5Parser.h
@@ -2,8 +2,7 @@
Open Asset Import Library (assimp)
----------------------------------------------------------------------
-Copyright (c) 2006-2022, assimp team
-
+Copyright (c) 2006-2023, assimp team
All rights reserved.
@@ -93,7 +92,7 @@ struct Section {
std::string mName;
//! For global elements: the value of the element as string
- //! Iif !length() the section is not a global element
+ //! if !length() the section is not a global element
std::string mGlobalValue;
};
@@ -185,7 +184,7 @@ using FrameList = std::vector<FrameDesc>;
*/
struct VertexDesc {
VertexDesc() AI_NO_EXCEPT
- : mFirstWeight(0), mNumWeights(0) {
+ : mFirstWeight(0), mNumWeights(0) {
// empty
}
@@ -349,62 +348,61 @@ class MD5Parser {
*/
MD5Parser(char* buffer, unsigned int fileSize);
-
// -------------------------------------------------------------------
/** Report a specific error message and throw an exception
* @param error Error message to be reported
* @param line Index of the line where the error occurred
*/
- AI_WONT_RETURN static void ReportError (const char* error, unsigned int line) AI_WONT_RETURN_SUFFIX;
+ AI_WONT_RETURN static void ReportError(const char* error, unsigned int line) AI_WONT_RETURN_SUFFIX;
// -------------------------------------------------------------------
/** Report a specific warning
* @param warn Warn message to be reported
* @param line Index of the line where the error occurred
*/
- static void ReportWarning (const char* warn, unsigned int line);
-
+ static void ReportWarning(const char* warn, unsigned int line);
+ // -------------------------------------------------------------------
+ /** Report a specific error
+ * @param error Error message to be reported
+ */
AI_WONT_RETURN void ReportError (const char* error) AI_WONT_RETURN_SUFFIX;
- void ReportWarning (const char* warn) {
- return ReportWarning(warn, lineNumber);
- }
+ // -------------------------------------------------------------------
+ /** Report a specific warning
+ * @param error Warn message to be reported
+ */
+ void ReportWarning (const char* warn);
//! List of all sections which have been read
SectionList mSections;
private:
- // -------------------------------------------------------------------
- /** Parses a file section. The current file pointer must be outside
- * of a section.
- * @param out Receives the section data
- * @return true if the end of the file has been reached
- * @throws ImportErrorException if an error occurs
- */
bool ParseSection(Section& out);
-
- // -------------------------------------------------------------------
- /** Parses the file header
- * @throws ImportErrorException if an error occurs
- */
void ParseHeader();
-
bool SkipLine(const char* in, const char** out);
bool SkipLine( );
bool SkipSpacesAndLineEnd( const char* in, const char** out);
bool SkipSpacesAndLineEnd();
bool SkipSpaces();
+private:
char* buffer;
char* bufferEnd;
unsigned int fileSize;
unsigned int lineNumber;
};
+// -------------------------------------------------------------------
+inline void MD5Parser::ReportWarning (const char* warn) {
+ return ReportWarning(warn, lineNumber);
+}
+
+// -------------------------------------------------------------------
inline void MD5Parser::ReportError(const char* error) {
ReportError(error, lineNumber);
}
+
// -------------------------------------------------------------------
inline bool MD5Parser::SkipLine(const char* in, const char** out) {
++lineNumber;
@@ -418,18 +416,24 @@ inline bool MD5Parser::SkipLine( ) {
// -------------------------------------------------------------------
inline bool MD5Parser::SkipSpacesAndLineEnd( const char* in, const char** out) {
- bool bHad = false;
- bool running = true;
+ if (in == bufferEnd) {
+ *out = in;
+ return false;
+ }
+
+ bool bHad = false, running = true;
while (running) {
if( *in == '\r' || *in == '\n') {
- // we open files in binary mode, so there could be \r\n sequences ...
+ // we open files in binary mode, so there could be \r\n sequences ...
if (!bHad) {
bHad = true;
++lineNumber;
}
+ } else if (*in == '\t' || *in == ' ') {
+ bHad = false;
+ } else {
+ break;
}
- else if (*in == '\t' || *in == ' ')bHad = false;
- else break;
++in;
if (in == bufferEnd) {
break;

39
CVE-2024-53425.patch Normal file
View File

@ -0,0 +1,39 @@
From ecc8a1c8695560df108d6adc00b3d7b1ba15df9f Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Tue, 17 Dec 2024 19:57:54 +0200
Subject: [PATCH] Fix buffer overflow in MD5Parser::SkipSpacesAndLineEnd
(#5921)
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
code/AssetLib/MD5/MD5Parser.cpp | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp
index 2de8d5033c..c5f108586e 100644
--- a/code/AssetLib/MD5/MD5Parser.cpp
+++ b/code/AssetLib/MD5/MD5Parser.cpp
@@ -115,14 +115,18 @@ void MD5Parser::ParseHeader() {
ReportError("MD5 version tag is unknown (10 is expected)");
}
SkipLine();
- if (buffer == bufferEnd) {
- return;
- }
// print the command line options to the console
- // FIX: can break the log length limit, so we need to be careful
char *sz = buffer;
- while (!IsLineEnd(*buffer++));
+ while (buffer < bufferEnd) {
+ if (IsLineEnd(*buffer++)) {
+ break;
+ }
+ }
+
+ if (buffer == bufferEnd) {
+ return;
+ }
ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz))));
SkipSpacesAndLineEnd();

10
assimp.spec
View File

@ -1,6 +1,6 @@
Name: assimp
Version: 5.3.1
Release: 5
Release: 6
Summary: Library to load and process various 3D model formats into applications.
License: BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0
URL: http://www.assimp.org/
@ -15,6 +15,11 @@ Source0: assimp-%{version}-free.tar.xz
Patch01: CVE-2024-40724-Fix-out-of-bound-access-5651.patch
Patch02: CVE-2024-45679.patch
Patch03: CVE-2024-48425.patch
Patch04: CVE-2024-48423-pre-Fix-leak-5762.patch
Patch05: CVE-2024-48423.patch
Patch06: CVE-2024-48424.patch
Patch07: CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch
Patch08: CVE-2024-53425.patch
BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel
BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib)
@ -94,6 +99,9 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass
%{python3_sitelib}/pyassimp
%changelog
* Tue Feb 11 2025 yaoxin <1024769339@qq.com> - 5.3.1-6
- Fix CVE-2024-48423,CVE-2024-48424 and CVE-2024-53425
* Sat Oct 26 2024 liningjie <liningjie@xfusion.com> - 5.3.1-5
- Fix CVE-2024-48425