pool/assimp
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1233500 from games

Browse Source 
- Add patches:
  * 0001-Fix-leak-5762.patch
  * CVE-2024-48423.patch (boo#1232322, CVE-2024-48423)
  * CVE-2024-48424.patch (boo#1232323, CVE-2024-48424)
  * CVE-2024-53425.patch (boo#1233633, CVE-2024-53425)

- Add upstream change (boo#1232324, CVE-2024-48425)
  * 0001-SplitLargeMeshes-Fix-crash-5799.patch

OBS-URL: https://build.opensuse.org/request/show/1233500
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/assimp?expand=0&rev=30
This commit is contained in:
Ana Guerrero 2024-12-29 10:55:59 +00:00 committed by Git OBS Bridge
commit bbb07c80de
7 changed files with 321 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
0001-Fix-leak-5762.patch Normal file
View File

@ -0,0 +1,136 @@
From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Sat, 7 Sep 2024 21:02:34 +0200
Subject: [PATCH] Fix leak (#5762)
* Fix leak
* Update utLogger.cpp
---
code/Common/Assimp.cpp | 13 ++++++---
fuzz/assimp_fuzzer.cc | 2 +-
test/CMakeLists.txt | 1 +
test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++
4 files changed, 63 insertions(+), 5 deletions(-)
create mode 100644 test/unit/Common/utLogger.cpp
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index ef3ee7b5d..91896e405 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) {
s->write(msg);
}
+static LogStream *DefaultStream = nullptr;
+
// ------------------------------------------------------------------------------------------------
ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) {
aiLogStream sout;
ASSIMP_BEGIN_EXCEPTION_REGION();
- LogStream *stream = LogStream::createDefaultStream(pStream, file);
- if (!stream) {
+ if (DefaultStream == nullptr) {
+ DefaultStream = LogStream::createDefaultStream(pStream, file);
+ }
+
+ if (!DefaultStream) {
sout.callback = nullptr;
sout.user = nullptr;
} else {
sout.callback = &CallbackToLogRedirector;
- sout.user = (char *)stream;
+ sout.user = (char *)DefaultStream;
}
- gPredefinedStreams.push_back(stream);
+ gPredefinedStreams.push_back(DefaultStream);
ASSIMP_END_EXCEPTION_REGION(aiLogStream);
return sout;
}
diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc
index 8178674e8..91ffd9d69 100644
--- a/fuzz/assimp_fuzzer.cc
+++ b/fuzz/assimp_fuzzer.cc
@@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
using namespace Assimp;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) {
- aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL);
+ aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
aiAttachLogStream(&stream);
Importer importer;
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 7b7fd850a..1a45adac7 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -100,6 +100,7 @@ SET( COMMON
unit/Common/utBase64.cpp
unit/Common/utHash.cpp
unit/Common/utBaseProcess.cpp
+ unit/Common/utLogger.cpp
)
SET(Geometry
diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp
new file mode 100644
index 000000000..932240a7f
--- /dev/null
+++ b/test/unit/Common/utLogger.cpp
@@ -0,0 +1,52 @@
+/*
+---------------------------------------------------------------------------
+Open Asset Import Library (assimp)
+---------------------------------------------------------------------------
+
+Copyright (c) 2006-2024, assimp team
+
+All rights reserved.
+
+Redistribution and use of this software in source and binary forms,
+with or without modification, are permitted provided that the following
+conditions are met:
+
+* Redistributions of source code must retain the above
+copyright notice, this list of conditions and the
+following disclaimer.
+
+* Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the
+following disclaimer in the documentation and/or other
+materials provided with the distribution.
+
+* Neither the name of the assimp team, nor the names of its
+contributors may be used to endorse or promote products
+derived from this software without specific prior
+written permission of the assimp team.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+---------------------------------------------------------------------------
+*/
+
+#include "UnitTestPCH.h"
+#include <assimp/Importer.hpp>
+
+using namespace Assimp;
+class utLogger : public ::testing::Test {};
+
+TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) {
+ aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ ASSERT_EQ(stream1.callback, stream2.callback);
+}
--
2.47.1

29
0001-SplitLargeMeshes-Fix-crash-5799.patch Normal file
View File

@ -0,0 +1,29 @@
From ecdf8d24b85367b22ba353b4f82299d4af7f1f97 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Mon, 7 Oct 2024 10:30:45 +0200
Subject: [PATCH] SplitLargeMeshes: Fix crash (#5799)
- Fix nullptr access when rootnode of the scene is a nullptr. This can happen even if the scene stores any kind of meshes. closes https://github.com/assimp/assimp/issues/5791
---
code/PostProcessing/SplitLargeMeshes.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/code/PostProcessing/SplitLargeMeshes.cpp b/code/PostProcessing/SplitLargeMeshes.cpp
index 3bee28521..cb9727651 100644
--- a/code/PostProcessing/SplitLargeMeshes.cpp
+++ b/code/PostProcessing/SplitLargeMeshes.cpp
@@ -100,6 +100,11 @@ void SplitLargeMeshesProcess_Triangle::SetupProperties( const Importer* pImp) {
// ------------------------------------------------------------------------------------------------
// Update a node after some meshes have been split
void SplitLargeMeshesProcess_Triangle::UpdateNode(aiNode* pcNode, const std::vector<std::pair<aiMesh*, unsigned int> >& avList) {
+ if (pcNode == nullptr) {
+ ASSIMP_LOG_WARN("UpdateNode skipped, nullptr detected.");
+ return;
+ }
+
// for every index in out list build a new entry
std::vector<unsigned int> aiEntries;
aiEntries.reserve(pcNode->mNumMeshes + 1);
--
2.47.0

34
CVE-2024-48423.patch Normal file
View File

@ -0,0 +1,34 @@
From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Wed, 11 Dec 2024 12:17:14 +0200
Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918)
The heap-use-after-free vulnerability occurs in the
CallbackToLogRedirector function. During the process of logging,
a previously freed memory region is accessed, leading to a
use-after-free condition. This vulnerability stems from incorrect
memory management, specifically, freeing a log stream and then
attempting to access it later on.
This patch sets NULL value for The DefaultStream global pointer.
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
code/Common/Assimp.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index 91896e4059..22e16bd36a 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) {
DefaultLogger::get()->detachStream(it->second);
delete it->second;
+ if ((Assimp::LogStream *)stream->user == DefaultStream) {
+ DefaultStream = nullptr;
+ }
+
gActiveLogStreams.erase(it);
if (gActiveLogStreams.empty()) {

59
CVE-2024-48424.patch Normal file
View File

@ -0,0 +1,59 @@
From 2b773f0f5a726c38dda72307b5311c14fc3a76ae Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Mon, 16 Dec 2024 23:48:45 +0200
Subject: [PATCH] Fix heap-buffer-overflow in OpenDDLParser (#5919)
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
contrib/openddlparser/code/OpenDDLParser.cpp | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp
index 3d7dce45ec..26591b5ec8 100644
--- a/contrib/openddlparser/code/OpenDDLParser.cpp
+++ b/contrib/openddlparser/code/OpenDDLParser.cpp
@@ -74,12 +74,11 @@ const char *getTypeToken(Value::ValueType type) {
return Grammar::PrimitiveTypeToken[(size_t)type];
}
-static void logInvalidTokenError(const char *in, const std::string &exp, OpenDDLParser::logCallback callback) {
- if (callback) {
- std::string full(in);
- std::string part(full.substr(0, 50));
+static void logInvalidTokenError(const std::string &in, const std::string &exp, OpenDDLParser::logCallback callback) {
+ if (callback) {\
+ std::string part(in.substr(0, 50));
std::stringstream stream;
- stream << "Invalid token \"" << *in << "\" "
+ stream << "Invalid token \"" << in << "\" "
<< "(expected \"" << exp << "\") "
<< "in: \"" << part << "\"";
callback(ddl_error_msg, stream.str());
@@ -306,7 +305,7 @@ char *OpenDDLParser::parseHeader(char *in, char *end) {
}
if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) {
- logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback);
+ logInvalidTokenError(std::string(in, end), Grammar::ClosePropertyToken, m_logCallback);
return nullptr;
}
@@ -355,8 +354,7 @@ char *OpenDDLParser::parseStructure(char *in, char *end) {
++in;
}
} else {
- ++in;
- logInvalidTokenError(in, std::string(Grammar::OpenBracketToken), m_logCallback);
+ logInvalidTokenError(std::string(in, end), std::string(Grammar::OpenBracketToken), m_logCallback);
error = true;
return nullptr;
}
@@ -427,7 +425,7 @@ char *OpenDDLParser::parseStructureBody(char *in, char *end, bool &error) {
in = lookForNextToken(in, end);
if (in == end || *in != '}') {
- logInvalidTokenError(in == end ? "" : in, std::string(Grammar::CloseBracketToken), m_logCallback);
+ logInvalidTokenError(std::string(in, end), std::string(Grammar::CloseBracketToken), m_logCallback);
return nullptr;
} else {
//in++;

39
CVE-2024-53425.patch Normal file
View File

@ -0,0 +1,39 @@
From ecc8a1c8695560df108d6adc00b3d7b1ba15df9f Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Tue, 17 Dec 2024 19:57:54 +0200
Subject: [PATCH] Fix buffer overflow in MD5Parser::SkipSpacesAndLineEnd
(#5921)
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
code/AssetLib/MD5/MD5Parser.cpp | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp
index 2de8d5033c..c5f108586e 100644
--- a/code/AssetLib/MD5/MD5Parser.cpp
+++ b/code/AssetLib/MD5/MD5Parser.cpp
@@ -115,14 +115,18 @@ void MD5Parser::ParseHeader() {
ReportError("MD5 version tag is unknown (10 is expected)");
}
SkipLine();
- if (buffer == bufferEnd) {
- return;
- }
// print the command line options to the console
- // FIX: can break the log length limit, so we need to be careful
char *sz = buffer;
- while (!IsLineEnd(*buffer++));
+ while (buffer < bufferEnd) {
+ if (IsLineEnd(*buffer++)) {
+ break;
+ }
+ }
+
+ if (buffer == bufferEnd) {
+ return;
+ }
ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz))));
SkipSpacesAndLineEnd();

15
assimp.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Fri Dec 27 08:05:57 UTC 2024 - Christophe Marin <christophe@krop.fr>
- Add patches:
* 0001-Fix-leak-5762.patch
* CVE-2024-48423.patch (boo#1232322, CVE-2024-48423)
* CVE-2024-48424.patch (boo#1232323, CVE-2024-48424)
* CVE-2024-53425.patch (boo#1233633, CVE-2024-53425)
-------------------------------------------------------------------
Wed Oct 30 09:42:38 UTC 2024 - Christophe Marin <christophe@krop.fr>
- Add upstream change (boo#1232324, CVE-2024-48425)
* 0001-SplitLargeMeshes-Fix-crash-5799.patch
-------------------------------------------------------------------
Tue Sep 10 07:32:23 UTC 2024 - Christophe Marin <christophe@krop.fr>

12
assimp.spec
View File

@ -22,9 +22,17 @@ Version: 5.4.3
Release: 0
Summary: Library to load and process 3D scenes from various data formats
License: BSD-3-Clause AND MIT
Group: Development/Libraries/C and C++
URL: https://github.com/assimp/assimp
Source0: %{name}-%{version}.tar.xz
# PATCH-FIX-UPSTREAM
Patch0: 0001-SplitLargeMeshes-Fix-crash-5799.patch
# PATCH-FIX-UPSTREAM
Patch1: 0001-Fix-leak-5762.patch
Patch2: CVE-2024-48423.patch
# PATCH-FIX-UPSTREAM
Patch3: CVE-2024-48424.patch
# PATCH-FIX-UPSTREAM
Patch4: CVE-2024-53425.patch
BuildRequires: cmake >= 3.22
BuildRequires: dos2unix
BuildRequires: gcc-c++
@ -42,7 +50,6 @@ engine-specific format for easy and fast every-day-loading.
%package -n libassimp%{sover}
Summary: Library to load and process 3D scenes from various data formats
Group: System/Libraries
%description -n libassimp%{sover}
Assimp is a library to load and process geometric scenes from various data formats.
@ -53,7 +60,6 @@ engine-specific format for easy and fast every-day-loading.
%package devel
Summary: Headers, docs and command-line utility for assimp
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libassimp%{sover} = %{version}
Requires: libstdc++-devel