search

slic3r / Slic3r

Open Source toolpath generator for 3D printers
https://slic3r.org/
GNU Affero General Public License v3.0
3.28k stars 1.29k forks source link

NULL pointer dereference in 3MF XML parser (slic3r:volume tag without ts/te/modifier attribute) #5120

Open eldstal opened 2 years ago

eldstal commented 2 years ago

Summary

A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

Step to reproduce

  1. Create the proof-of-concept OBJ file (3dmodel.3dmodel): 
    <model>
<resources>
<object id="1">
  <mesh>
    <vertices>
      <slic3r:volume />
    </vertices>
  </mesh>
</object>
</resources>
</model>
  2. Pack the file into a zip archive together with the prerequisite other files from a 3mf file: 
    3D/3dmodel.3dmodel
rels/.rels
[Content_Types].xml
  3. Rename the zip archive to nullptr_3mf_volume.3mf
  4. Execute slic3r --info nullptr_3mf_volume.3mf
  5. Observe segmentation fault.

Example file

nullptr_3mf_volume.zip

Cause

get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The constructor of std::string is invoked implicitly, leading to a crash (std::string(NULL)). The check at TMF.cpp:602 is ineffective, since it occurs after the NULL pointer is dereferenced.

Impact

Denial of Service.

Proposed mitigation

Perform a NULL check on the return values from get_attribute before constructing strings from them. Ensure that the NULL check terminates parsing, as proposed in #5118 and #5119.

eldstal commented 2 years ago

This vulnerability has been assigned CVE-2021-45847.

supermerill commented 2 years ago

not present in merill-merge branch