Skip to content

Fix out-of-bounds access on invalid mjvCamera->fixedcamid#3311

Open
davidhozic wants to merge 1 commit into
google-deepmind:mainfrom
davidhozic:fix/cameraid-check
Open

Fix out-of-bounds access on invalid mjvCamera->fixedcamid#3311
davidhozic wants to merge 1 commit into
google-deepmind:mainfrom
davidhozic:fix/cameraid-check

Conversation

@davidhozic
Copy link
Copy Markdown
Contributor

@davidhozic davidhozic commented Jun 3, 2026
edited
Loading

The mjv_updateCamera method currently does bound checking for the fixedcamid only after calling both mjv_cameraFrame and mjv_cameraFrustum. Unlike mjv_cameraFrustum, the mjv_cameraFrame method does not do bound checking for the fixedcamid, which results in out-of-bounds access and thus undefined behavior, when fixedcamid is outside the valid range.

While the program will exit in error via mjERROR most of the time, this is still undefined behavior and can lead to random segmentation faults with no clear errors about what happened.

This pull request fixes this by reordering the method calls, resulting in the fixed camera's ID being checked prior to first indexing. A redundant check was also removed in mjv_updateCamera, because mjv_cameraFrustum already does the checking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidhozic