gltfpack: Minor fuzzing updates

- Copy a seed GLB into the target folder; without this we currently can't build up a valid GLB from scratch due to the fuzzing strategy - Fix a mostly benign &v[0] access when a primitive is empty - Drop texture streams with index 32 and above since they don't fit into the bitset and the previous behavior was triggering (benign) UB
zeux · Oct 28, 2023 · 7073dc2 · 7073dc2
1 parent 0415662
commit 7073dc2
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -116,6 +116,7 @@ ifeq ($(config),fuzz)
 gltffuzz: $(BUILD)/gltfpack
 	cp $^ $@
 	mkdir -p /tmp/gltffuzz
+	cp gltf/fuzz.glb /tmp/gltffuzz/
 	./gltffuzz /tmp/gltffuzz -fork=16 -dict=gltf/fuzz.dict -ignore_crashes=1 -max_len=32768
 endif
 

diff --git a/gltf/mesh.cpp b/gltf/mesh.cpp
@@ -409,7 +409,7 @@ void filterStreams(Mesh& mesh, const MaterialInfo& mi)
 			morph_tangent = morph_tangent || (stream.type == cgltf_attribute_type_tangent && !isConstant(stream.data, { 0, 0, 0, 0 }));
 		}
 
-		if (stream.type == cgltf_attribute_type_texcoord && (mi.textureSetMask & (1u << stream.index)) != 0)
+		if (stream.type == cgltf_attribute_type_texcoord && stream.index < 32 && (mi.textureSetMask & (1u << stream.index)) != 0)
 		{
 			keep_texture_set = std::max(keep_texture_set, stream.index);
 		}

diff --git a/gltf/parsegltf.cpp b/gltf/parsegltf.cpp
@@ -188,7 +188,8 @@ static void parseMeshesGltf(cgltf_data* data, std::vector<Mesh>& meshes, std::ve
 			if (primitive.indices)
 			{
 				result.indices.resize(primitive.indices->count);
-				cgltf_accessor_unpack_indices(primitive.indices, &result.indices[0], result.indices.size());
+				if (!result.indices.empty())
+					cgltf_accessor_unpack_indices(primitive.indices, &result.indices[0], result.indices.size());
 
 				for (size_t i = 0; i < result.indices.size(); ++i)
 					assert(result.indices[i] < vertex_count);