search

slic3r / Slic3r

Open Source toolpath generator for 3D printers
https://slic3r.org/
GNU Affero General Public License v3.0
3.28k stars 1.29k forks source link

Security: Out of bounds read in OBJ face parser #5115

Open eldstal opened 2 years ago

eldstal commented 2 years ago

Summary

An out-of-bounds read in the OBJ file parsing leads to segmentation fault and potential information disclosure.

Vulnerable versions

Step to reproduce

  1. Create the proof-of-concept OBJ file (oob_face.obj): 
    f 1 1 1
  2. Execute slic3r --info oob_face.obj
  3. Observe segmentation fault.

Screenshot

image

Example file

oob_face.zip

Cause

The f (face) element in an OBJ file refers to previously specified vertices by index. A bounds check is missing, allowing a face to be created with invalid vertex indices. This leads to an out of bounds read at TriangleMesh.cpp:59 due to points being a NULL pointer. As the offset is controlled by the input file, this can be leveraged to read a value from an arbitrary location in memory.

Impact

Information disclosure. This type of bug can be used to bypass automatic security mechanisms such as stack protectors and pointer encryption.

Proposed mitigation

It appears that the tinyobj parser has identified that the vertex indices are invalid, so all that's missing is a check before calling the TriangleMesh constructor at IO.cpp:146.

System information

eldstal commented 2 years ago

The root cause for this appears to be the same as CVE-2020-28590, which is a good 12 months old by now.