Slic3r icon indicating copy to clipboard operation
Slic3r copied to clipboard

Published 20 hours ago verified publisher icon slic3r

NULL pointer dereference in AMF XML parser (metadata tag without type attribute)

Open eldstal opened this issue 3 years ago • 2 comments

Summary

A crafted AMF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

  • Slic3r (commit b1a5500f427700ac3dffc0e7d9535ea65f993537)

Step to reproduce

  1. Create the proof-of-concept OBJ file (nullptr_amf_metadata.amf.xml):
<amf unit="millimeter">
	<object id="0">
		<metadata>dummy</metadata>
	</object>
</amf>
  1. Execute slic3r --info nullptr_amf_metadata.amf.xml
  2. Observe segmentation fault.

Example file

nullptr_amf_metadata.amf.xml.zip

Cause

An attempt is made to read the type attribute of the <metadata> tag, at AMF.cpp:189. The PoC contains a metadata tag without a type attribute.

get_attribute() returns NULL, and thus the creation of the std::string m_value[0] crashes.

Impact

Denial of Service.

Proposed mitigation

Check for NULL before trying to construct the std::string, set a default value or reject the tag. Similar checks are already in place at line 163 and others.

eldstal avatar Dec 26 '21 17:12 eldstal

This vulnerability has been assigned CVE-2021-45846.

eldstal avatar Jan 25 '22 13:01 eldstal

note that patch should also be applied to prusaslicer @bubnikv

supermerill avatar Feb 01 '22 23:02 supermerill