CVE-2021-45847: 
NixOS vulnerability analysis and mitigation

Several missing input validations in the 3MF parser component of Slic3r libslic3r 1.3.0 can each allow an attacker to cause an application crash using a crafted 3MF input file. The vulnerability was assigned identifier CVE-2021-45847 and was disclosed on January 25, 2022 (NVD).

The vulnerability stems from NULL pointer dereferences in the 3MF XML parser when processing malformed input files. The issue occurs because the get_attribute() function in TMF.cpp returns NULL if a sought attribute is missing, and the NULL checks implemented are ineffective as they don't properly terminate parsing. This leads to crashes when functions like atof() and atoi() receive NULL pointer inputs (GitHub Issue 5118, GitHub Issue 5119). The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a Denial of Service condition when processing specially crafted 3MF files. When exploited, it causes the application to crash due to NULL pointer dereferences, affecting the availability of the service (GitHub Issue 5118, GitHub Issue 5119, GitHub Issue 5120).

The proposed mitigation involves throwing an exception in TMFParserContext::stop() to ensure that file parsing stops immediately when invalid input is detected. Additionally, proper NULL checks should be implemented before constructing strings from attribute values (GitHub Issue 5118, GitHub Issue 5120).