Fix RapidJSON null allocator deref in schema validator#167
Conversation
Apply a small CMake patch script during the RapidJSON ExternalProject_Add download step to fix CWE-476: null pointer dereference in GenericSchemaValidator::EndMissingDependentProperties() (replaces &GetInvalidSchemaPointer().GetAllocator() with &GetStateAllocator()). Adds regression tests for the missing-dependent-property crash and a Linux Clang ASAN/UBSAN sanitizer CI workflow. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR mitigates a RapidJSON schema validator null-pointer dereference (CWE-476) by applying a small CMake-based patch during RapidJSON’s ExternalProject_Add download step, and adds regression coverage plus a Linux Clang ASAN/UBSAN CI job to catch similar issues.
Changes:
- Add two regression tests for missing-dependent-property schema validation failures.
- Introduce a CMake patch script to modify RapidJSON’s
schema.hduring external download. - Add a reusable GitHub Actions sanitizer workflow and wire it into the main CI workflow.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
GLTFSDK.Test/Source/DeserializeTests.cpp |
Adds malformed JSON inputs and regression tests expecting ValidationException instead of a crash. |
External/RapidJSON/patches/fix-null-allocator-deref.cmake |
Adds a CMake script to patch RapidJSON schema.h to avoid null allocator deref. |
External/RapidJSON/CMakeRapidJSONDownload.txt.in |
Runs the patch script via PATCH_COMMAND during RapidJSON ExternalProject_Add. |
.github/workflows/sanitizer.yml |
Adds a workflow to build with Clang + ASAN/UBSAN and run unit tests on Linux. |
.github/workflows/ci.yml |
Adds a sanitizer job that calls the new sanitizer workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
RAND_MAX expands to 2147483647 which cannot be exactly represented as a float. Cast RAND_MAX explicitly to float to silence the warning under clang with -Werror (used by the sanitizer CI job). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
bghgary
left a comment
bghgary
left a comment
There was a problem hiding this comment.
[Reviewed by Copilot on behalf of @bghgary]
The fix is correct and the sanitizer CI is a nice add. Agree with all four of Copilot's inline comments.
The biggest one is #2 — string(FIND ... -1) returns STATUS instead of FATAL_ERROR when neither pattern is present. Combined with the GIT_TAG pin, a future RapidJSON bump can silently regress the security fix. Three states should be distinguished:
&GetStateAllocator()already present → already patched, returnSTATUS.&GetInvalidSchemaPointer().GetAllocator()present → apply patch.- Neither →
FATAL_ERROR.
#4 — c_missingDependentPropertyBufferView duplicates the existing c_invalidAccessorDependency; reuse it.
One nit beyond Copilot's comments: ASAN_OPTIONS: detect_leaks=0 disables leak detection. Intentional or just template default? Worth flipping to 1 if there's no reason to skip.
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
static_cast<T>(round(f*scale)) without clamping is undefined behavior when f falls outside the destination integer type's normalized range. UBSan flagged this on Linux (FloatToComponent<uint8_t> with a negative float), and clang on macOS produced values inconsistent with MSVC, causing AnimationUtils_Test_GetRotations to fail there while passing on Windows. Clamp to [-1,1] for signed and [0,1] for unsigned types before scaling, matching the glTF 2.0 spec for normalized component encoding and the existing clamp in ComponentToFloat for signed types. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Apply a small CMake patch script during the RapidJSON ExternalProject_Add download step to fix CWE-476: null pointer dereference in GenericSchemaValidator::EndMissingDependentProperties() (replaces &GetInvalidSchemaPointer().GetAllocator() with &GetStateAllocator()).
Adds regression tests for the missing-dependent-property crash and a Linux Clang ASAN/UBSAN sanitizer CI workflow.