usd: Fix a bug where corrupt .usdc files could cause a data race opening a

file.

(Internal change: 2363810)

Author: gitamohr

pxr/usd/usd/CMakeLists.txt

@@ -504,6 +504,17 @@ pxr_build_test(testUsdUsdzBugGHSA01
         testenv/testUsdUsdzBugGHSA01.cpp
 )
 
+pxr_build_test(testUsdUsdcBugGHSA02
+    LIBRARIES
+        ar
+        arch
+        tf
+        sdf
+        usd
+    CPPFILES
+    testenv/testUsdUsdcBugGHSA02.cpp
+)
+
 pxr_build_test(testUsdSplinesCpp
     LIBRARIES
         tf
@@ -795,6 +806,11 @@ pxr_install_test_dir(
     DEST testUsdUsdzBugGHSA01
 )
 
+pxr_install_test_dir(
+    SRC testenv/testUsdUsdcBugGHSA02.testenv
+    DEST testUsdUsdcBugGHSA02
+)
+
 pxr_register_test(testUsdAppliedAPISchemas
     PYTHON
     COMMAND "${CMAKE_INSTALL_PREFIX}/tests/testUsdAppliedAPISchemas"
@@ -1417,3 +1433,9 @@ pxr_register_test(testUsdUsdzBugGHSA01
     COMMAND "${CMAKE_INSTALL_PREFIX}/tests/testUsdUsdzBugGHSA01"
     EXPECTED_RETURN_CODE 0
 )
+
+pxr_register_test(testUsdUsdcBugGHSA02
+    COMMAND "${CMAKE_INSTALL_PREFIX}/tests/testUsdUsdcBugGHSA02"
+    EXPECTED_RETURN_CODE 0
+)
+  

pxr/usd/usd/crateFile.cpp

@@ -3702,22 +3702,36 @@ CrateFile::_ReadCompressedPaths(Reader reader,
     cr.Read(reader, pathIndexes.data(), numPaths);
 
 #ifdef PXR_PREFER_SAFETY_OVER_SPEED
-    // Range check the pathIndexes, which index into _paths.
-    for (const uint32_t pathIndex: pathIndexes) {
-        if (pathIndex >= _paths.size()) {
-            TF_RUNTIME_ERROR("Corrupt path index in crate file (%u >= %zu)",
-                             pathIndex, _paths.size());
-            return;
+    // Range check the pathIndexes, which index into _paths, and also ensure
+    // there are no duplicates in pathIndexes.  If there are this file is
+    // corrupt, and if we were to continue we could data-race while mutating the
+    // same SdfPath object in _paths concurrently in
+    // _BuildDecompressedPathsImpl.  It's a delightful occasion to use C++'s
+    // collectio non grata: vector<bool>.
+    {
+        vector<bool> seenIndexes(_paths.size());
+        for (const uint32_t pathIndex: pathIndexes) {
+            if (pathIndex >= _paths.size() || seenIndexes[pathIndex]) {
+                TF_RUNTIME_ERROR(
+                    "Corrupt path index in crate file (%u %s)",
+                    pathIndex,
+                    pathIndex >= _paths.size()
+                    ? TfStringPrintf(">= %zu", _paths.size()).c_str()
+                    : "repeated");
+                return;
+            }
+            seenIndexes[pathIndex] = true;
         }
     }
+    
 #endif // PXR_PREFER_SAFETY_OVER_SPEED
 
     // elementTokenIndexes.
     elementTokenIndexes.resize(numPaths);
     cr.Read(reader, elementTokenIndexes.data(), numPaths);
 
 #ifdef PXR_PREFER_SAFETY_OVER_SPEED
-    // Range check the pathIndexes, which index (by absolute value) into
+    // Range check the elementTokenIndexes, which index (by absolute value) into
     // _tokens.
     for (const int32_t elementTokenIndex: elementTokenIndexes) {
         if (static_cast<size_t>(

pxr/usd/usd/testenv/testUsdUsdcBugGHSA02.cpp

@@ -0,0 +1,57 @@
+//
+// Copyright 2025 Pixar
+//
+// Licensed under the terms set forth in the LICENSE.txt file available at
+// https://openusd.org/license.
+//
+
+#include "pxr/pxr.h"
+
+#include "pxr/base/tf/error.h"
+#include "pxr/base/tf/errorMark.h"
+#include "pxr/base/tf/diagnosticLite.h"
+#include "pxr/usd/usd/stage.h"
+
+#include <string>
+#include <cstring>
+
+PXR_NAMESPACE_USING_DIRECTIVE
+
+// This test checks for the security issue detailed in Github security 
+// advisory GHSA-58p5-r2f6-g2cj.
+static void
+TestUsdcFile()
+{
+    // This test relies on range checks that are only enabled when
+    // PXR_PREFER_SAFETY_OVER_SPEED is enabled.
+#ifdef PXR_PREFER_SAFETY_OVER_SPEED
+
+    TfErrorMark m;
+    auto stage = UsdStage::Open("root.usdc");
+
+    // a runtime error should have been posted
+    TF_AXIOM(!m.IsClean());
+
+    // Look for the specific runtime error for the invalid spec type
+    auto decompressError = [](const TfError& e) -> bool {
+        return TfStringEndsWith(e.GetCommentary(),
+                                "Failed to decompress data, "
+                                "possibly corrupt? LZ4 error code: -596");
+    };
+    TF_AXIOM(std::any_of(m.begin(), m.end(), decompressError));
+
+    // Make sure that a corrupt asset error was also posted
+    auto corruptPathIndex = [](const TfError& e) -> bool {
+        return e.GetCommentary() == "Corrupt path index in crate file "
+                                    "(0 repeated)";
+    };
+    TF_AXIOM(std::any_of(m.begin(), m.end(), corruptPathIndex));
+#endif // PXR_PREFER_SAFETY_OVER_SPEED
+}
+
+int main(int argc, char** argv)
+{
+    TestUsdcFile();
+
+    return 0;
+}