get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:590 is ineffective, since self->stop() does not terminate the current function.
Execution continues to line 593, where atoi receives a NULL pointer input, and a crash results.
Impact
Denial of Service.
Proposed mitigation
Throw an exception in TMFParserContext::stop() to ensure that file parsing stops immediately.
Summary
A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.
Vulnerable versions
Step to reproduce
3dmodel.3dmodel
):nullptr_3mf_triangle.3mf
slic3r --info nullptr_3mf_triangle.3mf
Example file
nullptr_3mf_triangle.zip
Cause
get_attribute()
in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:590 is ineffective, sinceself->stop()
does not terminate the current function.Execution continues to line 593, where
atoi
receives a NULL pointer input, and a crash results.Impact
Denial of Service.
Proposed mitigation
Throw an exception in
TMFParserContext::stop()
to ensure that file parsing stops immediately.