Slic3r icon indicating copy to clipboard operation
Slic3r copied to clipboard

Published 20 hours ago verified publisher icon slic3r

NULL pointer dereference in 3MF XML parser (triangle tag without v1/v2/v3 attribute)

Open eldstal opened this issue 3 years ago • 2 comments

Summary

A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

  • Slic3r (commit b1a5500f427700ac3dffc0e7d9535ea65f993537)

Step to reproduce

  1. Create the proof-of-concept OBJ file (3dmodel.3dmodel):
<model>
  <resources>
    <object id="1">
      <mesh>
        <vertices>
          <triangle />
        </vertices>
      </mesh>
    </object>
  </resources>
</model>
  1. Pack the file into a zip archive together with the prerequisite other files from a 3mf file:
3D/3dmodel.3dmodel
rels/.rels
[Content_Types].xml
  1. Rename the zip archive to nullptr_3mf_triangle.3mf
  2. Execute slic3r --info nullptr_3mf_triangle.3mf
  3. Observe segmentation fault.

Example file

nullptr_3mf_triangle.zip

Cause

get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:590 is ineffective, since self->stop() does not terminate the current function.

Execution continues to line 593, where atoi receives a NULL pointer input, and a crash results.

Impact

Denial of Service.

Proposed mitigation

Throw an exception in TMFParserContext::stop() to ensure that file parsing stops immediately.

eldstal avatar Dec 26 '21 20:12 eldstal

This vulnerability has been assigned CVE-2021-45847.

eldstal avatar Jan 25 '22 13:01 eldstal

not present in merill-merge branch

supermerill avatar Jan 31 '22 12:01 supermerill