An attempt is made to read the type attribute of the <metadata> tag, at AMF.cpp:189. The PoC contains a metadata tag without a type attribute.
get_attribute() returns NULL, and thus the creation of the std::string m_value[0] crashes.
Impact
Denial of Service.
Proposed mitigation
Check for NULL before trying to construct the std::string, set a default value or reject the tag. Similar checks are already in place at line 163 and others.
Summary
A crafted AMF XML document can cause a crash due to a NULL pointer dereference during parsing.
Vulnerable versions
Step to reproduce
nullptr_amf_metadata.amf.xml
):slic3r --info nullptr_amf_metadata.amf.xml
Example file
nullptr_amf_metadata.amf.xml.zip
Cause
An attempt is made to read the
type
attribute of the<metadata>
tag, at AMF.cpp:189. The PoC contains ametadata
tag without atype
attribute.get_attribute()
returns NULL, and thus the creation of thestd::string m_value[0]
crashes.Impact
Denial of Service.
Proposed mitigation
Check for NULL before trying to construct the
std::string
, set a default value or reject the tag. Similar checks are already in place at line 163 and others.