get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:580 is ineffective, since self->stop() does not terminate the current function.
Execution continues to line 582, where atof receives a NULL pointer input, and a crash results.
Impact
Denial of Service.
Proposed mitigation
Throw an exception in TMFParserContext::stop() to ensure that file parsing stops immediately.
Summary
A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.
Vulnerable versions
Step to reproduce
3dmodel.3dmodel
):nullptr_3mf_vertex.3mf
slic3r --info nullptr_3mf_vertex.3mf
Example file
nullptr_3mf_vertex.zip
Cause
get_attribute()
in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:580 is ineffective, sinceself->stop()
does not terminate the current function.Execution continues to line 582, where
atof
receives a NULL pointer input, and a crash results.Impact
Denial of Service.
Proposed mitigation
Throw an exception in
TMFParserContext::stop()
to ensure that file parsing stops immediately.