## UberZ Archive Vulnerability: Out-of-Bounds Write in Pointer Conversion Exposes GLTFIO, Tools to Memory Corruption
A critical vulnerability in the UberZ archive format's pointer conversion function exposes applications to memory corruption and crashes when processing untrusted files. The flaw resides in `uberz::convertOffsetsToPointers`, which rewrites attacker-controlled offsets from a decompressed archive into live pointers without validating they remain within the archive buffer. In release builds, the existing `assert_invariant` checks are compiled away, allowing malformed values for `specsOffset`, `flagsOffset`, `packageOffset`, or `nameOffset` to force the converter to write invalid pointers into the archive structure and then continue traversing those corrupted memory addresses.

Real-world call sites that load untrusted `.uberz` content are directly impacted, including `gltfio::ArchiveCache::load` and the append path within `tools/uberz`. This means any application or service—potentially in graphics pipelines, asset tooling, or content delivery systems—that ingests external UberZ archives is at risk of crashes or broader, exploitable memory corruption. The vulnerability stems from a lack of size-awareness during the offset-to-pointer rewrite, a fundamental safety gap in the archive deserialization process.

The provided fix patches the conversion API to accept the decompressed archive's size as a parameter, enabling validation of all offset-derived regions before any pointer writes occur. This corrective measure is essential for closing a door to arbitrary memory writes, but it underscores a systemic issue: archive parsers handling external data must enforce rigorous bounds checking. The exposure highlights the latent risks in graphics and asset tooling stacks where compressed binary formats are routinely processed without sufficient input sanitization.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: memory-corruption, vulnerability, graphics-pipeline, binary-parsing, c++
- **Credibility**: unverified
- **Published**: 2026-04-13 21:22:51
- **ID**: 62617
- **URL**: https://whisperx.ai/en/intel/62617