GitHub-Proxy/Slic3r
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/slic3r/Slic3r.git synced 2025-08-15 00:55:53 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix CVE-2020-28591 by dropping vertices that are illegal in the facet list.

Browse Source
This commit is contained in:
Joseph Lenox 2021-03-19 10:57:00 -05:00
parent dad3b1edb9
commit 5c4747ecc7
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/libslic3r/Format/AMF.cpp
View File

@ -591,9 +591,14 @@ void AMFParserContext::endElement(const char * /* name */)
// Faces of the current volume: // Faces of the current volume:
case NODE_TYPE_TRIANGLE: case NODE_TYPE_TRIANGLE:
assert(m_object && m_volume); assert(m_object && m_volume);
m_volume_facets.push_back(atoi(m_value[0].c_str())); // drop illegal vertex references.
m_volume_facets.push_back(atoi(m_value[1].c_str())); if (strtoul(m_value[0].c_str(), nullptr, 10) < m_object_vertices.size() &&
m_volume_facets.push_back(atoi(m_value[2].c_str())); strtoul(m_value[1].c_str(), nullptr, 10) < m_object_vertices.size() &&
strtoul(m_value[2].c_str(), nullptr, 10) < m_object_vertices.size()) {
m_volume_facets.push_back(atoi(m_value[0].c_str()));
m_volume_facets.push_back(atoi(m_value[1].c_str()));
m_volume_facets.push_back(atoi(m_value[2].c_str()));
}
m_value[0].clear(); m_value[0].clear();
m_value[1].clear(); m_value[1].clear();
m_value[2].clear(); m_value[2].clear();