get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The constructor of std::string is invoked implicitly, leading to a crash (std::string(NULL)). The check at TMF.cpp:602 is ineffective, since it occurs after the NULL pointer is dereferenced.
Impact
Denial of Service.
Proposed mitigation
Perform a NULL check on the return values from get_attribute before constructing strings from them. Ensure that the NULL check terminates parsing, as proposed in #5118 and #5119.
Summary
A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.
Vulnerable versions
Step to reproduce
3dmodel.3dmodel
):nullptr_3mf_volume.3mf
slic3r --info nullptr_3mf_volume.3mf
Example file
nullptr_3mf_volume.zip
Cause
get_attribute()
in TMF.cpp returns NULL if the sought attribute is missing. The constructor ofstd::string
is invoked implicitly, leading to a crash (std::string(NULL)
). The check at TMF.cpp:602 is ineffective, since it occurs after the NULL pointer is dereferenced.Impact
Denial of Service.
Proposed mitigation
Perform a NULL check on the return values from
get_attribute
before constructing strings from them. Ensure that the NULL check terminates parsing, as proposed in #5118 and #5119.