Two heap-buffer-overflow vulnerabilities in raylib model file parsers, triggered by loading crafted model files via LoadModel().
Bug 1: IQM loader — systemic unchecked offsets
File: src/rmodels.c, lines 4788, 4841, 4863
Root cause: memcpy uses offset and count fields from the IQM binary header without validating them against the actual file size:
memcpy(va, fileDataPtr + iqmHeader->ofs_vertexarrays,
iqmHeader->num_vertexarrays * sizeof(IQMVertexArray));
Attacker-controlled ofs_vertexarrays and num_vertexarrays cause a 335,544,320-byte out-of-bounds heap read. Same unchecked pattern exists for ofs_meshes (line 4788) and ofs_triangles (line 4841).
Bug 2: VOX loader — insufficient per-read bounds check
File: src/external/vox_loader.h, line 598
Root cause: Loop checks fileDataPtr < endfileDataPtr but each
iteration reads 12+ bytes without verifying enough bytes remain:
while (fileDataPtr < endfileDataPtr)
{
char szChunkName[5];
memcpy(szChunkName, fileDataPtr, 4); // reads 4 bytes without checking 4 remain
}
memcpy(szChunkName, fileDataPtr, 4) reads past buffer when <4
bytes are left.
Impact
Both are reachable via LoadModel() when a user opens a crafted .iqm or .vox file. In game modding and asset pipeline scenarios, users commonly load untrusted model files.
Tested version
raylib HEAD as of 2026-04-11.
PoC
Two crash files attached. Reproduce under AddressSanitizer:
./app crash_file.iqm # 335MB OOB read
./app crash_file.vox # 4-byte OOB read
CWE-125 (Out-of-bounds Read)
CVSS: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H = 7.1
Two heap-buffer-overflow vulnerabilities in raylib model file parsers, triggered by loading crafted model files via LoadModel().
Bug 1: IQM loader — systemic unchecked offsets
File: src/rmodels.c, lines 4788, 4841, 4863
Root cause: memcpy uses offset and count fields from the IQM binary header without validating them against the actual file size:
Attacker-controlled ofs_vertexarrays and num_vertexarrays cause a 335,544,320-byte out-of-bounds heap read. Same unchecked pattern exists for ofs_meshes (line 4788) and ofs_triangles (line 4841).
Bug 2: VOX loader — insufficient per-read bounds check
File: src/external/vox_loader.h, line 598
Root cause: Loop checks fileDataPtr < endfileDataPtr but each
iteration reads 12+ bytes without verifying enough bytes remain:
memcpy(szChunkName, fileDataPtr, 4) reads past buffer when <4
bytes are left.
Impact
Both are reachable via LoadModel() when a user opens a crafted .iqm or .vox file. In game modding and asset pipeline scenarios, users commonly load untrusted model files.
Tested version
raylib HEAD as of 2026-04-11.
PoC
Two crash files attached. Reproduce under AddressSanitizer:
./app crash_file.iqm # 335MB OOB read
./app crash_file.vox # 4-byte OOB read
CWE-125 (Out-of-bounds Read)
CVSS: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H = 7.1