Slic3r icon indicating copy to clipboard operation
Slic3r copied to clipboard

Published 20 hours ago verified publisher icon slic3r

NULL pointer dereference in 3MF XML parser (slic3r:volume tag without ts/te/modifier attribute)

Open eldstal opened this issue 3 years ago • 2 comments

Summary

A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

  • Slic3r (commit b1a5500f427700ac3dffc0e7d9535ea65f993537)

Step to reproduce

  1. Create the proof-of-concept OBJ file (3dmodel.3dmodel):
<model>
  <resources>
    <object id="1">
      <mesh>
        <vertices>
          <slic3r:volume />
        </vertices>
      </mesh>
    </object>
  </resources>
</model>
  1. Pack the file into a zip archive together with the prerequisite other files from a 3mf file:
3D/3dmodel.3dmodel
rels/.rels
[Content_Types].xml
  1. Rename the zip archive to nullptr_3mf_volume.3mf
  2. Execute slic3r --info nullptr_3mf_volume.3mf
  3. Observe segmentation fault.

Example file

nullptr_3mf_volume.zip

Cause

get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The constructor of std::string is invoked implicitly, leading to a crash (std::string(NULL)). The check at TMF.cpp:602 is ineffective, since it occurs after the NULL pointer is dereferenced.

Impact

Denial of Service.

Proposed mitigation

Perform a NULL check on the return values from get_attribute before constructing strings from them. Ensure that the NULL check terminates parsing, as proposed in #5118 and #5119.

eldstal avatar Dec 26 '21 20:12 eldstal

This vulnerability has been assigned CVE-2021-45847.

eldstal avatar Jan 25 '22 13:01 eldstal

not present in merill-merge branch

supermerill avatar Jan 31 '22 12:01 supermerill