Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference in AMF XML parser (metadata tag without type attribute) #5117

Open
eldstal opened this issue Dec 26, 2021 · 2 comments

Comments

@eldstal
Copy link

eldstal commented Dec 26, 2021

Summary

A crafted AMF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

Step to reproduce

  1. Create the proof-of-concept OBJ file (nullptr_amf_metadata.amf.xml):
<amf unit="millimeter">
	<object id="0">
		<metadata>dummy</metadata>
	</object>
</amf>
  1. Execute slic3r --info nullptr_amf_metadata.amf.xml
  2. Observe segmentation fault.

Example file

nullptr_amf_metadata.amf.xml.zip

Cause

An attempt is made to read the type attribute of the <metadata> tag, at AMF.cpp:189. The PoC contains a metadata tag without a type attribute.

get_attribute() returns NULL, and thus the creation of the std::string m_value[0] crashes.

Impact

Denial of Service.

Proposed mitigation

Check for NULL before trying to construct the std::string, set a default value or reject the tag. Similar checks are already in place at line 163 and others.

@eldstal
Copy link
Author

eldstal commented Jan 25, 2022

This vulnerability has been assigned CVE-2021-45846.

supermerill added a commit to supermerill/SuperSlicer that referenced this issue Feb 1, 2022
@supermerill
Copy link
Collaborator

note that patch should also be applied to prusaslicer @bubnikv

DzzD pushed a commit to DzzD/SuperSlicer that referenced this issue Apr 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants