gltfFileLoader: Array length out of bounds

Env: Windows 10 x64 / Firefox 115


Manually running new Uint8Array(arrayBufferView.buffer, (arrayBufferView).byteOffset + byteOffset, byteLength) can get correct result.

Here is runtime vars in devtools.

It looks like the check (arrayBufferView as Uint8Array).byteOffset + byteLength > arrayBufferView.byteLength is incorrect.
The model is loaded using loadAssetContainerAsync.

ping @bghgary . It’s Thanksgiving so he may take a few days to answer.

I think the correct check should be:


@kzhsw Can you send the asset that was causing the issue originally? I don’t believe the fix from @Evgeni_Popov is the original intention for the code and will cause the code to read bytes that it shouldn’t.

It’s fixed by the linked pr.
To compare:


It may not be the right/full fix, that’s why we would need access to the source asset to investigate the issue more.

I’ve updated the range check to be what was intended. @kzhsw I made sure the PG you sent works, but can you make sure it is working for your full scenario?

Fix incorrect range check when reading glTF buffer by bghgary · Pull Request #14557 · BabylonJS/Babylon.js (


I patched node_modules like this and it works.

1 Like