Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference in 3MF XML parser (triangle tag without v1/v2/v3 attribute) #5119

Open
eldstal opened this issue Dec 26, 2021 · 2 comments

Comments

@eldstal
Copy link

eldstal commented Dec 26, 2021

Summary

A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

Step to reproduce

  1. Create the proof-of-concept OBJ file (3dmodel.3dmodel):
<model>
  <resources>
    <object id="1">
      <mesh>
        <vertices>
          <triangle />
        </vertices>
      </mesh>
    </object>
  </resources>
</model>
  1. Pack the file into a zip archive together with the prerequisite other files from a 3mf file:
3D/3dmodel.3dmodel
rels/.rels
[Content_Types].xml
  1. Rename the zip archive to nullptr_3mf_triangle.3mf
  2. Execute slic3r --info nullptr_3mf_triangle.3mf
  3. Observe segmentation fault.

Example file

nullptr_3mf_triangle.zip

Cause

get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:590 is ineffective, since self->stop() does not terminate the current function.

Execution continues to line 593, where atoi receives a NULL pointer input, and a crash results.

Impact

Denial of Service.

Proposed mitigation

Throw an exception in TMFParserContext::stop() to ensure that file parsing stops immediately.

@eldstal
Copy link
Author

eldstal commented Jan 25, 2022

This vulnerability has been assigned CVE-2021-45847.

@supermerill
Copy link
Collaborator

not present in merill-merge branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants