MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput

Summary

When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.

Details

In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:

   InterfaceElementPtr impl = materialNodeDef->getImplementation();
            if (impl && impl->isA<NodeGraph>())
            {
                NodeGraphPtr implGraph = impl->asA<NodeGraph>();
                for (OutputPtr defOutput : materialNodeDef->getOutputs())
                {
                    if (defOutput->getType() == MATERIAL_TYPE_STRING)
                    {
                        OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName());
                        for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
                        {
                            ElementPtr upstreamElem = it.getUpstreamElement();
                            if (!upstreamElem)
                            {
                                it.setPruneSubgraph(true);
                                continue;
                            }
                            NodePtr upstreamNode = upstreamElem->asA<Node>();
                            if (upstreamNode && upstream

However, when defining the implGraphOutput variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.

PoC

Please download nullptr_implgraph.mtlx from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011

build/bin/MaterialXView --material nullptr_implgraph.mtlx

Impact

An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.