Floating-point exception (SIGFPE) in COLLADASaxFWL::MeshLoader::initializeTexCoordsOffset() at COLLADASaxFWLMeshLoader.cpp:951

[Nalen98]

A crafted input leads to crash (divide-by-zero vulnerability) at COLLADASaxFWLMeshLoader.cpp:951 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).

PoC: PoC.zip

Triggered by:

./OpenCOLLADAValidator PoC.dae

ASAN report:

$ ./OpenCOLLADAValidator PoC.dae
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1655395==ERROR: AddressSanitizer: FPE on unknown address 0x55899c054fd6 (pc 0x55899c054fd6 bp 0x000000000002 sp 0x7fffcabc85c0 T0)
    #0 0x55899c054fd5 in COLLADASaxFWL::MeshLoader::initializeTexCoordsOffset() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:953
    #1 0x55899c056e07 in COLLADASaxFWL::MeshLoader::initializeOffsets() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:734
    #2 0x55899c0571b1 in COLLADASaxFWL::MeshLoader::begin__p() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:1464
    #3 0x55899b231812 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::elementBegin(char const*, GeneratedSaxParser::ParserAttributes const&) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:2059
    #4 0x55899c09a3e0 in GeneratedSaxParser::LibxmlSaxParser::startElement(void*, unsigned char const*, unsigned char const**) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:179
    #5 0x7fed0d2285a6 in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x4b5a6)
    #6 0x7fed0d22af27  (/lib/x86_64-linux-gnu/libxml2.so.2+0x4df27)
    #7 0x7fed0d2307cf in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x537cf)
    #8 0x7fed0d231f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #9 0x55899c09a9cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #10 0x55899ac8a3ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #11 0x55899ac87a3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #12 0x55899ac182be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #13 0x55899ac086f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #14 0x55899abb4fbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #15 0x7fed0ccc50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #16 0x55899ac078ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:953 in COLLADASaxFWL::MeshLoader::initializeTexCoordsOffset()
==1655395==ABORTING

GDB info:

stride variable is zero and program received SIGFPE as follows.

Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64