slic3r/slic3r-CVE-2020-28591.patch

22 lines
1.1 KiB
Diff
Raw Permalink Normal View History

2021-03-18 09:25:50 +00:00
diff --git a/xs/src/libslic3r/IO/AMF.cpp b/xs/src/libslic3r/IO/AMF.cpp
index 7433762..42e6491 100644
--- a/xs/src/libslic3r/IO/AMF.cpp
+++ b/xs/src/libslic3r/IO/AMF.cpp
@@ -344,9 +344,13 @@ void AMFParserContext::endElement(const char *name)
// Faces of the current volume:
case NODE_TYPE_TRIANGLE:
assert(m_object && m_volume);
- m_volume_facets.push_back(atoi(m_value[0].c_str()));
- m_volume_facets.push_back(atoi(m_value[1].c_str()));
- m_volume_facets.push_back(atoi(m_value[2].c_str()));
+ if (strtoul(m_value[0].c_str(), nullptr, 10) < m_object_vertices.size() &&
+ strtoul(m_value[1].c_str(), nullptr, 10) < m_object_vertices.size() &&
+ strtoul(m_value[2].c_str(), nullptr, 10) < m_object_vertices.size()) {
+ m_volume_facets.push_back(atoi(m_value[0].c_str()));
+ m_volume_facets.push_back(atoi(m_value[1].c_str()));
+ m_volume_facets.push_back(atoi(m_value[2].c_str()));
+ }
m_value[0].clear();
m_value[1].clear();
m_value[2].clear();