search

slic3r / Slic3r

Open Source toolpath generator for 3D printers
https://slic3r.org/
GNU Affero General Public License v3.0
3.28k stars 1.29k forks source link

NULL pointer dereference in 3MF XML parser (triangle tag without v1/v2/v3 attribute) #5119

Open eldstal opened 2 years ago

eldstal commented 2 years ago

Summary

A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

Step to reproduce

  1. Create the proof-of-concept OBJ file (3dmodel.3dmodel): 
    <model>
<resources>
<object id="1">
  <mesh>
    <vertices>
      <triangle />
    </vertices>
  </mesh>
</object>
</resources>
</model>
  2. Pack the file into a zip archive together with the prerequisite other files from a 3mf file: 
    3D/3dmodel.3dmodel
rels/.rels
[Content_Types].xml
  3. Rename the zip archive to nullptr_3mf_triangle.3mf
  4. Execute slic3r --info nullptr_3mf_triangle.3mf
  5. Observe segmentation fault.

Example file

nullptr_3mf_triangle.zip

Cause

get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:590 is ineffective, since self->stop() does not terminate the current function.

Execution continues to line 593, where atoi receives a NULL pointer input, and a crash results.

Impact

Denial of Service.

Proposed mitigation

Throw an exception in TMFParserContext::stop() to ensure that file parsing stops immediately.

eldstal commented 2 years ago

This vulnerability has been assigned CVE-2021-45847.

supermerill commented 2 years ago

not present in merill-merge branch