Slic3r icon indicating copy to clipboard operation
Slic3r copied to clipboard

Published 20 hours ago verified publisher icon slic3r

Security: Out of bounds read in OBJ face parser

Open eldstal opened this issue 3 years ago • 1 comments

Summary

An out-of-bounds read in the OBJ file parsing leads to segmentation fault and potential information disclosure.

Vulnerable versions

  • Slic3r (commit b1a5500f427700ac3dffc0e7d9535ea65f993537)

Step to reproduce

  1. Create the proof-of-concept OBJ file (oob_face.obj):
f 1 1 1
  1. Execute slic3r --info oob_face.obj
  2. Observe segmentation fault.

Screenshot

image

Example file

oob_face.zip

Cause

The f (face) element in an OBJ file refers to previously specified vertices by index. A bounds check is missing, allowing a face to be created with invalid vertex indices. This leads to an out of bounds read at TriangleMesh.cpp:59 due to points being a NULL pointer. As the offset is controlled by the input file, this can be leveraged to read a value from an arbitrary location in memory.

Impact

Information disclosure. This type of bug can be used to bypass automatic security mechanisms such as stack protectors and pointer encryption.

Proposed mitigation

It appears that the tinyobj parser has identified that the vertex indices are invalid, so all that's missing is a check before calling the TriangleMesh constructor at IO.cpp:146.

System information

  • OS: Linux
  • Version: Latest GIT (commit b1a5500f427700ac3dffc0e7d9535ea65f993537)

eldstal avatar Dec 26 '21 15:12 eldstal

The root cause for this appears to be the same as CVE-2020-28590, which is a good 12 months old by now.

eldstal avatar Dec 26 '21 15:12 eldstal