CVE-2025-8854: Stack-based buffer overflow in OFF loader (LoadOFF)

[simkca]

Summary
The OFF parser in the VHACD utility reads into a fixed-size stack buffer using an
unbounded "%s":

// Extras/VHACD/test/src/main_vhacd.cpp (LoadOFF)
// https://github.com/bulletphysics/bullet3/blob/master/Extras/VHACD/test/src/main_vhacd.cpp#L472
char temp[1024];
fscanf(fid, "%s", temp); // unbounded read → overflow if token >1023 bytes

Impact
A crafted OFF file with an overlong initial token triggers a stack buffer overflow, leading to
a crash and potentially code execution depending on compiler/stack protections.

Affected component
bullet3: Extras/VHACD/test/src/main_vhacd.cpp (function LoadOFF)

Reproducer
Create an OFF file whose first token exceeds 1024 bytes (no spaces) and run the VHACD tool.
In our environment, the Python API pybullet.vhacd() also
crashes when passed such an OFF file.

import pybullet as p

p.connect(p.DIRECT) 
vhacd_handle = p.vhacd(
    fileNameIn="test.OFF", 
    fileNameOut="output_model.obj",
    fileNameLogging="vhacd_log.txt", 
)

Suggested fix (minimal)

• Use a bounded read and check return values:
  char temp[1024];
  if (fscanf(fid, "%1023s", temp) != 1) { fclose(fid); return false; }