-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential use-after-free in GltfConverters
/ AssetFetcher
#893
Comments
One easy improvement idea is to delete the |
This has been addressed in #912 . |
I'm going to reopen this, because we generally don't close issues until the PR that addresses them is merged. If you add "Fixes #893" to the top post of the PR, then GitHub will automatically close the issue upon merge. |
Whoops! No problem. |
The new
AssetFetcher
introduced in #854 stores theAsyncSystem
and the vector of request headers by reference. This is safe if at least one of these is true:AssetFetcher
is only used during the course of the function it is passed to, never after the function returns. But this is not true.I3dmToGltfConverter
captures it in a lambda to be used later, after the function returns. Even if we fix this converter, future converters will need to keep this in mind as well.The current use may very well be safe (even checking that is a fair bit of work), but it's precarious. It's easy to imagine future changes leading to subtle, intermittent bugs.
The easiest solution is store the AsyncSystem and request headers by value instead. If that's too expensive, the next best thing is to pass them to the function directly rather than wrapping them up in
AssetFetcher
. It makes for a lot of parameters, but it's much more natural / obvious to capture them by value that way.CC @timoore
The text was updated successfully, but these errors were encountered: