Limit # of tags when parsing SubD tag('t').

fuzzer/runner.py

@@ -0,0 +1,20 @@
+import os, sys
+import glob
+import subprocess
+
+def main():
+    for g in glob.glob("../tests/afl/id*"):
+        print(g)
+    
+        cmd = ["../a.out", g]
+
+        proc = subprocess.Popen(cmd)
+        try:
+            outs, errs = proc.communicate(timeout=15)
+            print(outs)
+        except TimeoutExpired:
+            proc.kill()
+            outs, errs = proc.communicate()
+
+
+main()

loader_example.cc

@@ -145,6 +145,9 @@ static void PrintInfo(const tinyobj::attrib_t& attrib,
     assert(shapes[i].mesh.num_face_vertices.size() ==
            shapes[i].mesh.material_ids.size());
 
+    assert(shapes[i].mesh.num_face_vertices.size() ==
+           shapes[i].mesh.smoothing_group_ids.size());
+
     printf("shape[%ld].num_faces: %lu\n", static_cast<long>(i),
            static_cast<unsigned long>(shapes[i].mesh.num_face_vertices.size()));
 
@@ -165,6 +168,8 @@ static void PrintInfo(const tinyobj::attrib_t& attrib,
 
       printf("  face[%ld].material_id = %d\n", static_cast<long>(f),
              shapes[i].mesh.material_ids[f]);
+      printf("  face[%ld].smoothing_group_id = %d\n", static_cast<long>(f),
+             shapes[i].mesh.smoothing_group_ids[f]);
 
       index_offset += fnum;
     }

tests/afl/README.txt

@@ -0,0 +1,17 @@
+Command line used to find this crash:
+
+afl-fuzz -i in -o out ./test_loader @@
+
+If you can't reproduce a bug outside of afl-fuzz, be sure to set the same
+memory limit. The limit used for this fuzzing session was 50.0 MB.
+
+Need a tool to minimize test cases before investigating the crashes or sending
+them to a vendor? Check out the afl-tmin that comes with the fuzzer!
+
+Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop
+me a mail at <lcamtuf@coredump.cx> once the issues are fixed - I'd love to
+add your finds to the gallery at:
+
+  http://lcamtuf.coredump.cx/afl/
+
+Thanks :-)

tests/afl/id:000002,sig:11,src:000000,op:havoc,rep:4

@@ -0,0 +1,33 @@
+# cube.obj
+#
+ 
+} cube
+ 
+v  d.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1
/6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5 
+f  5//5  8//5  6//5 
+f  1//4  5//4 55555555555555 6//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000003,sig:11,src:000000,op:havoc,rep:4

@@ -0,0 +1,35 @@
+# cube.obj
+#
+ 4 
+f  1//4  6//4  2//4 
+f  
+g cube
+ 
+v  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+
n  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  //5 
+f  5//5  8//5  6//5 
+f  1//4  5//4  6//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000004,sig:11,src:000000,op:havoc,rep:2

@@ -0,0 +1,34 @@
+# cube.ob7//3 
+f  3//3  4//3  8//3j
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1˙0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5 
+f  5//5  8//5  6//5 
+f  1//4  5//4  6//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000010,sig:11,src:000000,op:havoc,rep:16

@@ -0,0 +1,29 @@
+# cube.obj
+#
+ 
+g  
+v  0.0  0.0  0.0
+v  0.0  0.0  1,0
+T  0.0  1.0  0.0
+v  4.0  1c0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0 /////////////////////////////.0  0.0 -1.0
+vn  0.0  1.0  0.0
+v˙  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8K/31
+f/6  4//6  3//6 
+f  1//6  2  5//5  7//5  8//5 
+f  5//5  8//5  6//5"
+f  1//4  5//4  2222222222224f  1//2 7//2  5  6//4  2//4 
+f
 3//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000011,sig:11,src:000000,op:havoc,rep:8

@@ -0,0 +1,33 @@
+# cube.obj
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0<>0  0.0 -1.0
+vn  0.0  1.0  00
+vn  0.0 -Ę.0  0.0
+vn  1.  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  40000000000000000vvvvvvvvvvvvvvvv00000080000000//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5 
+f  5//5  8//5  6//5 
+f  1//4  56//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000013,sig:11,src:000093,op:havoc,rep:4

@@ -0,0 +1,32 @@
+# cube.obj
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0 0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3 08//3 
+f  5//5  7//5  8//5!Šf  5//5  8//5  6//5 
+f  1//4  5//4  65555//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000015,sig:11,src:000093,op:havoc,rep:2

@@ -0,0 +1,33 @@
+# cube.7//3 
+f  3//3  4//3  8//3 
+obj
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v .0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5!Šf  5//5  8//5  6//5 
+f  1//4  5//4  6//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000017,sig:11,src:000093,op:havoc,rep:4

@@ -0,0 +1,30 @@
+# cube.obj
+#
+ 
+g cuvP 0.0  0.0  .0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5!Šf  5//5  8//5  6//5 
+f  1//4  5//4  6//4 
+f  1//4  6666666666666666//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000018,sig:06,src:000141,op:flip1,pos:449

@@ -0,0 +1,33 @@
+# cube.obj
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5 
+f  5//5  8//5  6//5 
+t  1//4  5/-4  6//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000019,sig:06,src:000141,op:arith8,pos:446,val:+13

@@ -0,0 +1,33 @@
+# cube.obj
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0 -1.0  0.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5 
+f  5//5  8//5  6//5 
+t  1//4 -5//4  6//4 
+f  1//4  6//4  2//4 
+f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000021,sig:06,src:000141,op:havoc,rep:4

@@ -0,0 +1,35 @@
+# cube.obj
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v  1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  !.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0  0.0
+vn  0.0   8//5  6//5 
+t  1//4  -1.0  0.0
+vn  1.0  0.0  0.0
+f  3//3  8//3  7//3 
+f  3//3  
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  8//3 
+f  5//5  7//5  8//5 
+f  5//5  8//5  6//5 
+t  1//4  5//4  6//4 
+f  1//4  6//4  2//4 f  2//1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/afl/id:000025,sig:11,src:000141,op:havoc,rep:4

@@ -0,0 +1,32 @@
+# cube.obj
+#
+ 
+g cube
+ 
+v  0.0  0.0  0.0
+v  0.0  0.0  1.0
+v  0.0  1.0  0.0
+v  0.0  1.0  1.0
+v Ď1.0  0.0  0.0
+v  1.0  0.0  1.0
+v  1.0  1.0  0.0
+v  1.0  1.0  1.0
+
+vn  0.0  0.0  1.0
+vn  0.0  0.0 -1.0
+vn  0.0  1.0
+vn  1.0  0.0  0.0
+vn -1.0  0.0  0.0
+ 
+f  1//2  7//2  5//2
+f  1//2  3//2  7//2 
+f  1//6  4//6  3//6 
+f  1//6  2//6  4//6 
+f  3//3  8//3  7//3 
+f  3//3  4//3  811111//3 
+f  5//5  7//5  8//5 
+f  5//5  8//5  6//5 
+t  1//4  5//4  6//4 
+f  1//4  6//4  2//4 
+f  2B/1  6//1  8//1 
+f  2//1  8//1  4//1 

tests/tester.cc

@@ -751,6 +751,31 @@ TEST_CASE("smoothing-group", "[Issue162]") {
 
 }
 
+// Fuzzer test.
+// Just check if it does not crash.
+
+TEST_CASE("afl000000", "[AFL]") {
+  tinyobj::attrib_t attrib;
+  std::vector<tinyobj::shape_t> shapes;
+  std::vector<tinyobj::material_t> materials;
+
+  std::string err;
+  bool ret = tinyobj::LoadObj(&attrib, &shapes, &materials, &err, "./afl/id:000000,sig:11,src:000000,op:havoc,rep:128", gMtlBasePath);
+
+  REQUIRE(true == ret);
+}
+
+TEST_CASE("afl000001", "[AFL]") {
+  tinyobj::attrib_t attrib;
+  std::vector<tinyobj::shape_t> shapes;
+  std::vector<tinyobj::material_t> materials;
+
+  std::string err;
+  bool ret = tinyobj::LoadObj(&attrib, &shapes, &materials, &err, "./afl/id:000001,sig:11,src:000000,op:havoc,rep:64", gMtlBasePath);
+
+  REQUIRE(true == ret);
+}
+
 #if 0
 int
 main(

tiny_obj_loader.h

@@ -23,6 +23,7 @@ THE SOFTWARE.
 */
 
 //
+// version 1.2.0 : Hardened implementation(#xxx)
 // version 1.1.1 : Support smoothing groups(#162)
 // version 1.1.0 : Support parsing vertex color(#144)
 // version 1.0.8 : Fix parsing `g` tag just after `usemtl`(#138)
@@ -1023,12 +1024,17 @@ static bool exportFaceGroupToShape(shape_t *shape,
   for (size_t i = 0; i < faceGroup.size(); i++) {
     const face_t &face = faceGroup[i];
 
+    size_t npolys = face.vertex_indices.size();
+
+    if (npolys < 3) {
+      // ??? Invalid face definition.
+      continue;
+    }
+
     vertex_index_t i0 = face.vertex_indices[0];
     vertex_index_t i1(-1);
     vertex_index_t i2 = face.vertex_indices[1];
 
-    size_t npolys = face.vertex_indices.size();
-
     if (triangulate) {
       // find the two axes to work in
       size_t axes[2] = {1, 2};
@@ -1039,6 +1045,14 @@ static bool exportFaceGroupToShape(shape_t *shape,
         size_t vi0 = size_t(i0.v_idx);
         size_t vi1 = size_t(i1.v_idx);
         size_t vi2 = size_t(i2.v_idx);
+
+        if (((3 * vi0 + 2) >= v.size()) ||
+            ((3 * vi1 + 2) >= v.size()) ||
+            ((3 * vi2 + 2) >= v.size())) {
+          // Invalid triangle.
+          // FIXME(syoyo): Is it ok to simply skip this invalid triangle?
+          continue;
+        }
         real_t v0x = v[vi0 * 3 + 0];
         real_t v0y = v[vi0 * 3 + 1];
         real_t v0z = v[vi0 * 3 + 2];
@@ -1075,6 +1089,13 @@ static bool exportFaceGroupToShape(shape_t *shape,
         i1 = face.vertex_indices[(k + 1) % npolys];
         size_t vi0 = size_t(i0.v_idx);
         size_t vi1 = size_t(i1.v_idx);
+        if (((vi0 * 3 + axes[0]) >= v.size()) ||
+            ((vi0 * 3 + axes[1]) >= v.size()) ||
+            ((vi1 * 3 + axes[0]) >= v.size()) ||
+            ((vi1 * 3 + axes[1]) >= v.size())) {
+          // Invalid index.
+          continue;
+        }
         real_t v0x = v[vi0 * 3 + axes[0]];
         real_t v0y = v[vi0 * 3 + axes[1]];
         real_t v1x = v[vi1 * 3 + axes[0]];
@@ -1099,8 +1120,15 @@ static bool exportFaceGroupToShape(shape_t *shape,
         for (size_t k = 0; k < 3; k++) {
           ind[k] = remainingFace.vertex_indices[(guess_vert + k) % npolys];
           size_t vi = size_t(ind[k].v_idx);
-          vx[k] = v[vi * 3 + axes[0]];
+          if (((vi * 3 + axes[0]) >= v.size()) ||
-          vy[k] = v[vi * 3 + axes[1]];
+              ((vi * 3 + axes[1]) >= v.size())) {
+            // ???
+            vx[k] = static_cast<real_t>(0.0);
+            vy[k] = static_cast<real_t>(0.0);
+          } else {
+            vx[k] = v[vi * 3 + axes[0]];
+            vy[k] = v[vi * 3 + axes[1]];
+          }
         }
         real_t e0x = vx[1] - vx[0];
         real_t e0y = vy[1] - vy[0];
@@ -1116,9 +1144,22 @@ static bool exportFaceGroupToShape(shape_t *shape,
         // check all other verts in case they are inside this triangle
         bool overlap = false;
         for (size_t otherVert = 3; otherVert < npolys; ++otherVert) {
+          size_t idx = (guess_vert + otherVert) % npolys;
+
+          if (idx >= remainingFace.vertex_indices.size()) {
+            // ???
+            continue;
+          }
+          
           size_t ovi = size_t(
-              remainingFace.vertex_indices[(guess_vert + otherVert) % npolys]
+              remainingFace.vertex_indices[idx]
                   .v_idx);
+
+          if (((ovi * 3 + axes[0]) >= v.size()) ||
+              ((ovi * 3 + axes[1]) >= v.size())) {
+            // ???
+            continue;
+          }
           real_t tx = v[ovi * 3 + axes[0]];
           real_t ty = v[ovi * 3 + axes[1]];
           if (pnpoly(3, vx, vy, tx, ty)) {
@@ -1951,6 +1992,7 @@ bool LoadObj(attrib_t *attrib, std::vector<shape_t> *shapes,
     }
 
     if (token[0] == 't' && IS_SPACE(token[1])) {
+      const int max_tag_nums = 8192; // FIXME(syoyo): Parameterize.
       tag_t tag;
 
       token += 2;
@@ -1959,6 +2001,27 @@ bool LoadObj(attrib_t *attrib, std::vector<shape_t> *shapes,
 
       tag_sizes ts = parseTagTriple(&token);
 
+      if (ts.num_ints < 0) {
+        ts.num_ints = 0;
+      }
+      if (ts.num_ints > max_tag_nums) {
+        ts.num_ints = max_tag_nums;
+      }
+
+      if (ts.num_reals < 0) {
+        ts.num_reals = 0;
+      }
+      if (ts.num_reals > max_tag_nums) {
+        ts.num_reals = max_tag_nums;
+      }
+
+      if (ts.num_strings < 0) {
+        ts.num_strings = 0;
+      }
+      if (ts.num_strings > max_tag_nums) {
+        ts.num_strings = max_tag_nums;
+      }
+
       tag.intValues.resize(static_cast<size_t>(ts.num_ints));
 
       for (size_t i = 0; i < static_cast<size_t>(ts.num_ints); ++i) {