Skip to content

Security: Fix unsafe pointer buffer overread in TextualStl parser#90

Open
trek-e wants to merge 2 commits intorubenwe:masterfrom
trek-e:security/fix-unsafe-pointer-textualstl
Open

Security: Fix unsafe pointer buffer overread in TextualStl parser#90
trek-e wants to merge 2 commits intorubenwe:masterfrom
trek-e:security/fix-unsafe-pointer-textualstl

Conversation

@trek-e
Copy link
Copy Markdown

@trek-e trek-e commented Jan 24, 2026

Summary

  • Fixes high severity out-of-bounds memory read vulnerability in TextualStl.cs
  • The text-based STL parser used unsafe pointer operations without bounds checking
  • Malformed STL files could cause reads past the end of the file buffer

Security Impact

  • Severity: High
  • Attack Vector: Maliciously crafted STL files with truncated data
  • Impact: Information disclosure (reading uninitialized memory), potential crash

Changes

  1. Added endOfFile pointer tracking throughout all parsing methods
  2. Added bounds checks before every pointer dereference
  3. Added maximum facet count limit (10 million) to prevent memory exhaustion
  4. Changed parsing methods to return bool for graceful failure handling
  5. Graceful handling of truncated/malformed files instead of crashes

Test plan

  • Verify normal STL files still parse correctly
  • Verify truncated files are handled gracefully without crashes
  • Verify very large facet counts are rejected

🤖 Generated with Claude Code

trek-e and others added 2 commits January 23, 2026 18:39
@trek-e
docs: map existing codebase
303e7a0 
- STACK.md - Technologies and dependencies
- ARCHITECTURE.md - System design and patterns
- STRUCTURE.md - Directory layout
- CONVENTIONS.md - Code style and patterns
- TESTING.md - Test structure
- INTEGRATIONS.md - External services
- CONCERNS.md - Technical debt and issues
@trek-e @claude
Fix unsafe pointer buffer overread in TextualStl parser
f453a1c 
The text-based STL parser used unsafe pointer operations without bounds
checking, allowing malformed files to cause out-of-bounds memory reads.

This fix adds:
- End-of-buffer pointer tracking throughout all parsing methods
- Bounds checks before every pointer dereference
- Maximum facet count limit (10M) to prevent memory exhaustion
- Graceful handling of truncated/malformed files

Security impact:
- Prevents out-of-bounds memory reads from malicious STL files
- Prevents denial of service via memory exhaustion

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@trek-e