Skip to content

Security: Fix integer overflow in BinaryStl parser#91

Open
trek-e wants to merge 2 commits intorubenwe:masterfrom
trek-e:security/fix-integer-overflow-binarystl
Open

Security: Fix integer overflow in BinaryStl parser#91
trek-e wants to merge 2 commits intorubenwe:masterfrom
trek-e:security/fix-integer-overflow-binarystl

Conversation

@trek-e
Copy link
Copy Markdown

@trek-e trek-e commented Jan 24, 2026

Summary

  • Fixes integer overflow vulnerability in BinaryStl.cs
  • usedCount * 50 could overflow when facet count is very large (> ~85 million)
  • Added bounds checking and input validation

Security Impact

  • Severity: Medium
  • Attack Vector: Maliciously crafted STL files with large facet counts
  • Impact: Integer overflow leading to buffer under-allocation, memory corruption

Changes

  1. Added maximum facet count limit (10 million) to prevent memory exhaustion
  2. Added minimum file size validation before reading
  3. Changed to long arithmetic to prevent integer overflow in size calculations
  4. Added null checks for input arrays
  5. Added named constants for magic numbers (FacetSize=50, HeaderSize=84)

Test plan

  • Verify normal STL files still parse correctly
  • Verify files with excessive facet counts are rejected
  • Verify malformed files with incorrect facet counts are handled

🤖 Generated with Claude Code

trek-e and others added 2 commits January 23, 2026 18:39
@trek-e
docs: map existing codebase
303e7a0 
- STACK.md - Technologies and dependencies
- ARCHITECTURE.md - System design and patterns
- STRUCTURE.md - Directory layout
- CONVENTIONS.md - Code style and patterns
- TESTING.md - Test structure
- INTEGRATIONS.md - External services
- CONCERNS.md - Technical debt and issues
@trek-e @claude
Fix integer overflow and add bounds checking in BinaryStl
b18cdf2 
The binary STL parser had several security issues:
1. Integer overflow in `usedCount * 50` calculation when facet count is large
2. No validation for minimum file size before reading
3. No limit on facet count to prevent memory exhaustion

This fix adds:
- Maximum facet count limit (10 million) to prevent memory exhaustion
- Minimum file size validation
- Long arithmetic to prevent integer overflow in size calculations
- Null checks for input arrays
- Constants for magic numbers (FacetSize, HeaderSize)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@trek-e