OSV-2026-371
Claude Code
GitHub CopilotHeap-buffer-overflow in tinyobj::tryParseDouble
How AI Introduced This
The suspected commit introduced a new byte-stream parser and, with it, new StreamReader-based numeric parsing paths (`sr_parseReal` and related code) that call the existing `tryParseDouble`. In this commit, `tryParseDouble` is present in the vulnerable form and is actively used by the new parsing logic, making the heap-buffer-overflow reachable in the rewritten parser. The commit message itself shows later follow-up hardening for parsing/bounds issues, which is consistent with this large parser rewrite being the point where the vulnerable code path was introduced into the new implementation.
▶Bug-Introducing Commits(1)
Add max_iter guards to parsing loops and mmap support for .obj/.mtl loading
From squash merge f27721f3c9cd
▶Sub-commits(26)
Initial plan
Add max_iter guards to parsing loops and mmap support for .obj/.mtl loading
Rewrite parser from line-based to byte-stream-based with EOF guards
Rewrite parser to byte-stream based with StreamReader for bounds-checked parsing
Merge remote-tracking branch 'origin/release' into copilot/harden-obj-mtl-parsing
Integrate changes from release: Windows long paths, texcoord w-component, BOM in callback, test fixes
Resolve merge conflicts between copilot/harden-obj-mtl-parsing and release
Add clang-style parse error reporting with early return on failure
Polish: hoist warning_context out of loop, fix no-op test
Co-authored-by: syoyo <18676+syoyo@users.noreply.github.com>
Fix sr_parseTagTriple slash-delimited count parsing and add regression assertions
Fix high/medium review findings: complete attrib reset, usemtl delimiter check, remove duplicate windows.h and dead errs...
Address low severity review items: document read_token, unify line_num naming, extract sr_skipTagField helper, refactor ...
Harden MappedFile with is_mapped flag to prevent unmapping string literals
Run GPT-5.3-Codex comprehensive review
Remove accidental CTest artifact and ignore Testing/Temporary
Fix stream offset handling and add oversized stream guards/tests
Final deep-review fixes for mtllib callback failure path
Stage-2 deep review fixes for mtllib empty tokens and mmap size guard parity
Stage-3 deep review: preserve mtllib backslashes and harden stream size check
Stage-4 review: fix callback usemtl parsing and harden int parsing
Stage-5 review: harden size parsing and Windows mmap path
Final polish: fix overflow guards, zero-length normalize, and minor inconsistencies
Tribunal Analysis
3 agents▶CONFIRMEDGPT-5.488%
The suspected commit introduced a new byte-stream parser and, with it, new StreamReader-based numeric parsing paths (`sr_parseReal` and related code) that call the existing `tryParseDouble`. In this commit, `tryParseDouble` is present in the vulnerable form and is actively used by the new parsing logic, making the heap-buffer-overflow reachable in the rewritten parser. The commit message itself shows later follow-up hardening for parsing/bounds issues, which is consistent with this large parser rewrite being the point where the vulnerable code path was introduced into the new implementation.
- •Commit f27721f3c9cd20af4d4eee789431b92d0e0c4477 rewrites OBJ/MTL parsing to a new StreamReader byte-stream implementation.
- •At this commit, `tiny_obj_loader.h` contains `tryParseDouble(const char *s, const char *s_end, double *result)` in the vulnerable form.
- •The same commit adds new callers `sr_parseReal(...)` that invoke `tryParseDouble(start, start + len, &val)`, making the vulnerable parser part of the new byte-stream parsing path.
- •The old pointer-based `parseReal` also calls `tryParseDouble`, but this commit newly wires the function into the rewritten parser that the commit introduces.
▶UNLIKELYClaude Opus 4.630%
Fallback verdict: Agent exhausted max turns without submitting a verdict.
▶UNLIKELYGemini 3.1 Pro30%
Fallback verdict: Agent exhausted max turns without submitting a verdict.
Custom floating-point parsing loop without proper bounds checking on the input string buffer.▶AI Signals(2)
| Claude Code | Co-author trailer | Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> | 95% |
| GitHub Copilot | Author email | Copilot@users.noreply.github.com | 95% |