search

slic3r / Slic3r

Open Source toolpath generator for 3D printers
https://slic3r.org/
GNU Affero General Public License v3.0
3.28k stars 1.29k forks source link

NULL pointer dereference in AMF XML parser (metadata tag without type attribute) #5117

Open eldstal opened 2 years ago

eldstal commented 2 years ago

Summary

A crafted AMF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

Step to reproduce

  1. Create the proof-of-concept OBJ file (nullptr_amf_metadata.amf.xml): 
    <amf unit="millimeter">
<object id="0">
    <metadata>dummy</metadata>
</object>
</amf>
  2. Execute slic3r --info nullptr_amf_metadata.amf.xml
  3. Observe segmentation fault.

Example file

nullptr_amf_metadata.amf.xml.zip

Cause

An attempt is made to read the type attribute of the <metadata> tag, at AMF.cpp:189. The PoC contains a metadata tag without a type attribute.

get_attribute() returns NULL, and thus the creation of the std::string m_value[0] crashes.

Impact

Denial of Service.

Proposed mitigation

Check for NULL before trying to construct the std::string, set a default value or reject the tag. Similar checks are already in place at line 163 and others.

eldstal commented 2 years ago

This vulnerability has been assigned CVE-2021-45846.

supermerill commented 2 years ago

note that patch should also be applied to prusaslicer @bubnikv