From 00a4692989c4e2f191525f73f24ad8727bacdf41 Mon Sep 17 00:00:00 2001 From: Torsten Paul Date: Sat, 5 Feb 2022 18:38:31 +0100 Subject: [PATCH] CVE-2022-0496 Out-of-bounds memory access in DXF loader. Public issue: https://github.com/openscad/openscad/issues/4037 Fix in master branch: https://github.com/openscad/openscad/pull/4090 --- src/dxfdata.cc | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/src/dxfdata.cc b/src/dxfdata.cc index 2bb7236746..aa6b6f3976 100644 --- a/src/dxfdata.cc +++ b/src/dxfdata.cc @@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa, auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]); for (size_t ki = 0; ki < lv.size(); ++ki) { int k = lv.at(ki); + if (k < 0 || k >= lines.size()) { + LOG(message_group::Warning,Location::NONE,"", + "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); + continue; + } if (k == idx || lines[k].disabled) continue; goto next_open_path_j; } @@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa, auto lv = grid.data(ref_point[0], ref_point[1]); for (size_t ki = 0; ki < lv.size(); ++ki) { int k = lv.at(ki); + if (k < 0 || k >= lines.size()) { + LOG(message_group::Warning,Location::NONE,"", + "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); + continue; + } if (lines[k].disabled) continue; - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { + auto idk0 = lines[k].idx[0]; // make it easier to read and debug + auto idk1 = lines[k].idx[1]; + if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { current_line = k; current_point = 0; goto found_next_line_in_open_path; } - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { + if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { current_line = k; current_point = 1; goto found_next_line_in_open_path; @@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa, auto lv = grid.data(ref_point[0], ref_point[1]); for (size_t ki = 0; ki < lv.size(); ++ki) { int k = lv.at(ki); + if (k < 0 || k >= lines.size()) { + LOG(message_group::Warning,Location::NONE,"", + "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); + continue; + } if (lines[k].disabled) continue; - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { + auto idk0 = lines[k].idx[0]; // make it easier to read and debug + auto idk1 = lines[k].idx[1]; + if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { current_line = k; current_point = 0; goto found_next_line_in_closed_path; } - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { + if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { current_line = k; current_point = 1; goto found_next_line_in_closed_path;