gltfFileLoader: Array length out of bounds

kzhsw · November 22, 2023, 9:23am

Env: Windows 10 x64 / Firefox 115

Code:

BabylonJS/Babylon.js/blob/c30577433112e98f08d8097bb94c3b835c95f9c6/packages/dev/loaders/src/glTF/glTFFileLoader.ts#L49-L60


      
          function readViewAsync(arrayBufferView: ArrayBufferView, byteOffset: number, byteLength: number): Promise<Uint8Array> {

              try {

                  if ((arrayBufferView as Uint8Array).byteOffset + byteLength > arrayBufferView.byteLength) {

                      throw new Error("Array length out of bounds.");

                  }

          

                  return Promise.resolve(new Uint8Array(arrayBufferView.buffer, (arrayBufferView as Uint8Array).byteOffset + byteOffset, byteLength));

              } catch (e) {

                  return Promise.reject(e);

              }

          }

Manually running new Uint8Array(arrayBufferView.buffer, (arrayBufferView).byteOffset + byteOffset, byteLength) can get correct result.

Here is runtime vars in devtools.
vars

It looks like the check (arrayBufferView as Uint8Array).byteOffset + byteLength > arrayBufferView.byteLength is incorrect.
The model is loaded using loadAssetContainerAsync.

Cedric · November 22, 2023, 9:37am

ping @bghgary . It’s Thanksgiving so he may take a few days to answer.

Evgeni_Popov · November 22, 2023, 12:02pm

I think the correct check should be:

bghgary · November 27, 2023, 10:10pm

@kzhsw Can you send the asset that was causing the issue originally? I don’t believe the fix from @Evgeni_Popov is the original intention for the code and will cause the code to read bytes that it shouldn’t.

kzhsw · November 28, 2023, 7:30am

It’s fixed by the linked pr.
To compare:
before

after

Evgeni_Popov · November 28, 2023, 10:51am

It may not be the right/full fix, that’s why we would need access to the source asset to investigate the issue more.

bghgary · November 29, 2023, 12:34am

I’ve updated the range check to be what was intended. @kzhsw I made sure the PG you sent works, but can you make sure it is working for your full scenario?

Fix incorrect range check when reading glTF buffer by bghgary · Pull Request #14557 · BabylonJS/Babylon.js (github.com)

kzhsw · November 29, 2023, 12:58am

I patched node_modules like this and it works.

Topic		Replies	Views
GLTFFileLoader.loadFile does not call onError callback for files with less than 20 characters Bugs	4	503	September 14, 2021
Uncaught (in promise) Error: /buffers/0: Invalid typed array length: 44121244 Questions	3	599	April 1, 2022
Error loading GLB file but GLTF file can be loaded correctly Bugs glb	16	1432	January 26, 2024
I try to use in babylonjs with ArrayBuffer parsed by loaders.gl Questions	7	582	January 30, 2024
The gltfFileLoader reported an error. It's serious. please！！！ Bugs material	10	59	October 31, 2024

gltfFileLoader: Array length out of bounds

Related topics