LOW

GHSA-7qw8-3vmf-gj32

MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput

Details

### Summary

When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.

### Details

In `source/MaterialXCore/Material.cpp`, the following code extracts the output nodes for a given implementation graph:

```cpp InterfaceElementPtr impl = materialNodeDef->getImplementation(); if (impl && impl->isA<NodeGraph>()) { NodeGraphPtr implGraph = impl->asA<NodeGraph>(); for (OutputPtr defOutput : materialNodeDef->getOutputs()) { if (defOutput->getType() == MATERIAL_TYPE_STRING) { OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName()); for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it) { ElementPtr upstreamElem = it.getUpstreamElement(); if (!upstreamElem) { it.setPruneSubgraph(true); continue; } NodePtr upstreamNode = upstreamElem->asA<Node>(); if (upstreamNode && upstream ```

However, when defining the `implGraphOutput` variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator `traverseGraph()`. This leads to a potential null pointer dereference.

### PoC

Please download `nullptr_implgraph.mtlx` from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011

`build/bin/MaterialXView --material nullptr_implgraph.mtlx`

### Impact

An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / materialx

Introduced in: 1.39.2 Fixed in: 1.39.3

Fix pip install --upgrade 'materialx>=1.39.3'

Details

Are you affected?

Affected packages

References