github/OrcaSlicer
1
1
Fork 0
mirror of https://github.com/OrcaSlicer/OrcaSlicer.git synced 2026-04-06 00:32:05 +02:00
Code Issues 1.2k Packages Projects Releases Wiki Activity

Fix heap mismatch and stack buffer overflows in model file parsing #281

New Issue
Open
opened 2026-04-05 16:19:31 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 16:19:31 +02:00
Owner
Copy Link

Originally created by @marcdonovan on 3/17/2026

Summary

  • src/libslic3r/Preset.cpp: Replace free() with delete on a new-allocated ConfigSubstitutions object. Mixing C and C++ deallocation is undefined behavior and can corrupt the heap. Reachable via a crafted 3MF file with embedded preset config substitutions.
  • deps_src/admesh/stlinit.cpp: Add width limits to fscanf/sscanf format strings when parsing the STL ASCII solid-name header. Unbounded %s/%[^\n] into fixed-size stack buffers allows a crafted STL file with an oversized solid name to overflow those buffers with attacker-controlled data.

These issues were identified via CodeQL static analysis (cpp/new-free-mismatch, cpp/unbounded-write).

Test plan

  • Load a valid ASCII STL file — solid name parsed correctly
  • Load a valid 3MF file with embedded presets — presets load without crash
  • Load a crafted ASCII STL with a solid name > 255 characters — no crash/overflow
  • Load a crafted 3MF with embedded preset config substitutions — no heap corruption

🤖 Generated with Claude Code

*Originally created by @marcdonovan on 3/17/2026* ## Summary - **`src/libslic3r/Preset.cpp`**: Replace `free()` with `delete` on a `new`-allocated `ConfigSubstitutions` object. Mixing C and C++ deallocation is undefined behavior and can corrupt the heap. Reachable via a crafted 3MF file with embedded preset config substitutions. - **`deps_src/admesh/stlinit.cpp`**: Add width limits to `fscanf`/`sscanf` format strings when parsing the STL ASCII solid-name header. Unbounded `%s`/`%[^\n]` into fixed-size stack buffers allows a crafted STL file with an oversized solid name to overflow those buffers with attacker-controlled data. These issues were identified via CodeQL static analysis (`cpp/new-free-mismatch`, `cpp/unbounded-write`). ## Test plan - [ ] Load a valid ASCII STL file — solid name parsed correctly - [ ] Load a valid 3MF file with embedded presets — presets load without crash - [ ] Load a crafted ASCII STL with a solid name > 255 characters — no crash/overflow - [ ] Load a crafted 3MF with embedded preset config substitutions — no heap corruption 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-beta2
2.3.2-hotfix
2.3.2-hotfix
2.3.2-hotfix
2.3.2-hotfix
2.3.2-hotfix
2.4.0
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Community testers wanted
Crazy Orca Community
Crazy Orca Community
Linux
Linux
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Localization
Need more information
Need more information
Need more information
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
QoL
UI/UX
UI/UX
UI/UX
UI/UX
UI/UX
UI/UX
UI/UX
UI/UX
UI/UX
UI/UX
UI/UX
Wait for CI/CD test result
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
bug-fix
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
documentation
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
duplicate
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
profile
regression
regression
wait for response
wait for response
wait for response
wait for response
wait for response
wait for response
wait for response
wait for response
wait for response
wait for response
wait for response
wait for response
wontfix
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
📍 Assigned
🔔 reminder-sent
🔔 reminder-sent
🔔 reminder-sent
🔔 reminder-sent
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/OrcaSlicer#281
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?