From 6762986f746eca0052705028bef81db9638470a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Thu, 18 Mar 2021 10:25:50 +0100
Subject: [PATCH] Security fix for CVE-2020-28591

---
 slic3r-CVE-2020-28591.patch | 21 +++++++++++++++++++++
 slic3r.spec                 | 12 +++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 slic3r-CVE-2020-28591.patch

diff --git a/slic3r-CVE-2020-28591.patch b/slic3r-CVE-2020-28591.patch
new file mode 100644
index 0000000..cc37ea0
--- /dev/null
+++ b/slic3r-CVE-2020-28591.patch
@@ -0,0 +1,21 @@
+diff --git a/xs/src/libslic3r/IO/AMF.cpp b/xs/src/libslic3r/IO/AMF.cpp
+index 7433762..42e6491 100644
+--- a/xs/src/libslic3r/IO/AMF.cpp
++++ b/xs/src/libslic3r/IO/AMF.cpp
+@@ -344,9 +344,13 @@ void AMFParserContext::endElement(const char *name)
+     // Faces of the current volume:
+     case NODE_TYPE_TRIANGLE:
+         assert(m_object && m_volume);
+-        m_volume_facets.push_back(atoi(m_value[0].c_str()));
+-        m_volume_facets.push_back(atoi(m_value[1].c_str()));
+-        m_volume_facets.push_back(atoi(m_value[2].c_str()));
++        if (strtoul(m_value[0].c_str(), nullptr, 10) < m_object_vertices.size() &&
++            strtoul(m_value[1].c_str(), nullptr, 10) < m_object_vertices.size() &&
++            strtoul(m_value[2].c_str(), nullptr, 10) < m_object_vertices.size()) {
++            m_volume_facets.push_back(atoi(m_value[0].c_str()));
++            m_volume_facets.push_back(atoi(m_value[1].c_str()));
++            m_volume_facets.push_back(atoi(m_value[2].c_str()));
++        }
+         m_value[0].clear();
+         m_value[1].clear();
+         m_value[2].clear();
diff --git a/slic3r.spec b/slic3r.spec
index dd7bdf6..49c2512 100644
--- a/slic3r.spec
+++ b/slic3r.spec
@@ -5,7 +5,7 @@
 
 Name:           slic3r
 Version:        1.3.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 Summary:        G-code generator for 3D printers (RepRap, Makerbot, Ultimaker etc.)
 License:        AGPLv3 and CC-BY
 # Images are CC-BY, code is AGPLv3
@@ -32,6 +32,10 @@ Patch9:         %{name}-bind-placeholders.patch
 # Use boost/nowide/cstdlib.hpp instead of boost/nowide/cenv.hpp (PR#4976)
 Patch10:        %{name}-boost-nowide.patch
 
+# Security fix for CVE-2020-28591
+# https://github.com/slic3r/Slic3r/pull/5063
+Patch11:        %{name}-CVE-2020-28591.patch
+
 Source1:        %{name}.desktop
 Source2:        %{name}.appdata.xml
 
@@ -137,6 +141,7 @@ for more information.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 # Optional removals
 %if %{use_system_admesh}
@@ -249,6 +254,11 @@ SLIC3R_NO_AUTO=1 perl Build.PL installdirs=vendor
 %{_datadir}/%{name}
 
 %changelog
+* Thu Mar 18 2021 Miro Hrončok <mhroncok@redhat.com> - 1.3.0-19
+- Security fix for CVE-2020-28591
+- Resolves: rhbz#1934823
+- Resolves: rhbz#1934824
+
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-18
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild