Skip to content

Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return

Low
jstone-lucasfilm published GHSA-3jhf-gxhr-q4cx Jul 31, 2025

Package

No package listed

Affected versions

1.39.2

Patched versions

1.39.3

Description

Summary

When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.

Details

In src/MaterialXCore/Material.cpp, in function getShaderNodes, the following code fetches the output nodes for a given nodegraph input node:

// SNIP...
        else if (input->hasNodeGraphString())
        {
            // Check upstream nodegraph connected to the input.
            // If no explicit output name given then scan all outputs on the nodegraph.
            ElementPtr parent = materialNode->getParent();
            NodeGraphPtr nodeGraph = parent->getChildOfType<NodeGraph>(input->getNodeGraphString());
            if (!nodeGraph)
            {
                continue;
            }
            vector<OutputPtr> outputs;
            if (input->hasOutputString())
            {
                outputs.push_back(nodeGraph->getOutput(input->getOutputString())); // <--- null ptr is returned
            }
            else
            {
                outputs = nodeGraph->getOutputs();
            }
            for (OutputPtr output : outputs)
            {
                NodePtr upstreamNode = output->getConnectedNode(); // <--- CRASHES HERE
                if (upstreamNode && !shaderNodeSet.count(upstreamNode))
                {
                    if (!target.empty() && !upstreamNode->getNodeDef(target))
                    {
                        continue;
                    }
                    shaderNodeVec.push_back(upstreamNode);
                    shaderNodeSet.insert(upstreamNode);
                }
            }
        }
    }
// SNIP...

The issues arise because the nodeGraph->getOutput(input->getOutputString()) call can return a null pointer, therefore when trying to call output->getConnectedNode(), this results in a crash .

PoC

Please download nullptr_getshadernodes.mltx from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010

build/bin/MaterialXView --material nullptr_getshadernodes.mtlx

Impact

An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file.

Severity

Low

CVE ID

CVE-2025-53010

Weaknesses

NULL Pointer Dereference

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. Learn more on MITRE.

Credits