raylib PoC — GPU Texture Parser & IQM Model Parser Vulnerabilities

Standalone reproduction programs and crafted input files for memory safety bugs in raylib's file parsers.

Affected version: raylib master, commit c5fc771 (and all prior versions)

GPU Texture Parsers (rltexgpu.h)

All five GPU texture parsers accept a file_size parameter but never validate it. Allocation sizes and memcpy lengths are derived entirely from attacker-controlled header fields.

Build

Requires rltexgpu.h from raylib source tree (src/external/rltexgpu.h):

clang -g -O1 -fsanitize=address,undefined \
  -I <raylib-src>/src/external repro_gputex.c -o repro_gputex

Reproduce

# Bug 1: OOB read (DDS, PKM, PVR, ASTC)
./repro_gputex crashes/rc1_dds_oob_read.bin
./repro_gputex crashes/rc1_pkm_oob_read.bin
./repro_gputex crashes/rc1_pvr_oob_read.bin
./repro_gputex crashes/rc1_astc_oob_read.bin

# Bug 2: Integer overflow -> heap OOB write (DDS)
./repro_gputex crashes/rc2_dds_heap_oob_write.bin

# Bug 3: ASTC division by zero
./repro_gputex crashes/rc3_astc_div_zero.bin

IQM Model Parser (rmodels.c LoadIQM)

LoadIQM() reads offset and count fields from the IQM header and uses them directly in 13+ memcpy calls without bounds checking.

Build

No raylib dependency:

clang -g -O1 -fsanitize=address,undefined repro_iqm.c -o repro_iqm

Reproduce

# Heap OOB read via unvalidated offsets
./repro_iqm crashes/iqm_rc1_heap_oob_read.bin

# Integer overflow in allocation size
./repro_iqm crashes/iqm_rc2_int_overflow_oom.bin

Discovery

Found with AFL++ fuzzing and AddressSanitizer + UndefinedBehaviorSanitizer.