Headline
CVE-2021-45847: NULL pointer dereference in 3MF XML parser (vertex tag without x/y/z attribute) · Issue #5118 · slic3r/Slic3r
Several missing input validations in the 3MF parser component of Slic3r libslic3r 1.3.0 can each allow an attacker to cause an application crash using a crafted 3MF input file.
Summary
A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.
Vulnerable versions
- Slic3r (commit b1a5500)
Step to reproduce
- Create the proof-of-concept OBJ file (
3dmodel.3dmodel):
<model> <resources> <object id="1"> <mesh> <vertices> <vertex /> </vertices> </mesh> </object> </resources> </model>
Pack the file into a zip archive together with the prerequisite other files from a 3mf file:
3D/3dmodel.3dmodel rels/.rels [Content_Types].xml
- Rename the zip archive to
nullptr_3mf_vertex.3mf - Execute
slic3r --info nullptr_3mf_vertex.3mf - Observe segmentation fault.
Example file
nullptr_3mf_vertex.zip
Cause
get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The NULL check at TMF.cpp:580 is ineffective, since self->stop() does not terminate the current function.
Execution continues to line 582, where atof receives a NULL pointer input, and a crash results.
Impact
Denial of Service.
Proposed mitigation
Throw an exception in TMFParserContext::stop() to ensure that file parsing stops immediately.