Menu
▾
▴
2 Attachments
#252 SECURITY - OBJ import crashes on IEEE754 special values in vertex coordinates (nan/inf/1e999) — e3d_obj.erl:391
Summary
Wings3D 2.4.1 crashes when importing a Wavefront OBJ file containing
IEEE754 special float values (nan, inf, -inf) or overflow exponents
(1e999) in vertex coordinate fields.
Affected Version
Wings3D 2.4.1 (latest) — macOS, Linux, Windows (platform-independent
Erlang source code)
Root Cause
The function str2float_2/2 in e3d_obj.erl (line 391) parses vertex
coordinate strings using Erlang pattern matching. It has no clause
to handle the strings "nan", "inf", "-inf", or exponents that
overflow to infinity (e.g. 1e999). When encountered, Erlang raises
an unhandled function_clause exception which crashes the application.
Crash Call Stack (from ~/wings_crash.dump)
Reason: function_clause
e3d_obj:'-str2float_2/2-fun-0-' [e3d_obj.erl:391]
e3d_obj:str2float_2/2 [e3d_obj.erl:391]
e3d_obj:parse/2 [e3d_obj.erl:212]
e3d_obj:read_1/4 [e3d_obj.erl:195]
e3d_obj:import_1/2 [e3d_obj.erl:59]
e3d_obj:import/1 [e3d_obj.erl:46]
Confirmed Trigger Values
All of the following in any vertex coordinate field crash Wings3D:
v nan nan nan
v inf inf inf
v -inf -inf -inf
v 1.0e999 0.0 0.0
Reproduction Steps
- Save the attached cube-nan.obj to disk
- Open Wings3D 2.4.1
- File > Import > OBJ > select cube-nan.obj
- Observe: Internal Error dialog appears immediately
- Crash dump written to ~/wings_crash.dump
Suggested Fix
Add handling for IEEE754 special value strings in str2float_2/2
before the character-by-character pattern matching begins, or
wrap the parser in a try/catch returning a safe default (0.0)
on failure. Example:
case string:to_lower(Str) of
"nan" ++ _ -> 0.0;
"inf" ++ _ -> 0.0;
_ -> existing_parsing_logic
end.
Alternatively use Erlang's built-in list_to_float/1 wrapped in
a try/catch block.
Reporter
Dr. Mohammadreza Ashouri
ByteScan Security Research
bytescan.net | audit@bytescan.net
CVE request submitted to MITRE (pending ID assignment)
