Security: Out of bounds read in OBJ face parser #5115
Comments
eldstal
added a commit
to eldstal/Slic3r
that referenced
this issue
Dec 26, 2021
This is a fix for issue slic3r#5115
|
The root cause for this appears to be the same as CVE-2020-28590, which is a good 12 months old by now. |
eldstal
added a commit
to eldstal/Slic3r
that referenced
this issue
Dec 26, 2021
This fixes issue slic3r#5115 and CVE-2020-28590
eldstal
added a commit
to eldstal/Slic3r
that referenced
this issue
Dec 26, 2021
This fixes issue slic3r#5115 and CVE-2020-28590
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
An out-of-bounds read in the OBJ file parsing leads to segmentation fault and potential information disclosure.
Vulnerable versions
Step to reproduce
oob_face.obj):slic3r --info oob_face.objScreenshot
Example file
oob_face.zip
Cause
The
f(face) element in an OBJ file refers to previously specified vertices by index. A bounds check is missing, allowing a face to be created with invalid vertex indices. This leads to an out of bounds read at TriangleMesh.cpp:59 due topointsbeing a NULL pointer. As the offset is controlled by the input file, this can be leveraged to read a value from an arbitrary location in memory.Impact
Information disclosure. This type of bug can be used to bypass automatic security mechanisms such as stack protectors and pointer encryption.
Proposed mitigation
It appears that the
tinyobjparser has identified that the vertex indices are invalid, so all that's missing is a check before calling theTriangleMeshconstructor at IO.cpp:146.System information
The text was updated successfully, but these errors were encountered: