From bbea97ea1b6d2629d701a4cc59e4d9d778eae983 Mon Sep 17 00:00:00 2001
From: eldstal <laeder.keps@gmail.com>
Date: Sun, 26 Dec 2021 16:19:33 +0100
Subject: [PATCH 1/2] Add check for empty faces in IO::OBJ::read()

This is a fix for issue #5115
---
 xs/src/libslic3r/IO.cpp | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/xs/src/libslic3r/IO.cpp b/xs/src/libslic3r/IO.cpp
index 0a0500a928..323e0b37a6 100644
--- a/xs/src/libslic3r/IO.cpp
+++ b/xs/src/libslic3r/IO.cpp
@@ -143,10 +143,12 @@ OBJ::read(std::string input_file, Model* model)
             ));
         }
         
-        TriangleMesh mesh(points, facets);
-        mesh.check_topology();
-        ModelVolume* volume = object->add_volume(mesh);
-        volume->name        = object->name;
+        if (points.size() > 0) {
+          TriangleMesh mesh(points, facets);
+          mesh.check_topology();
+          ModelVolume* volume = object->add_volume(mesh);
+          volume->name        = object->name;
+        }
     }
     
     return true;

From 4cb1f4eef2e9952c45fdd936181a21e4f89a06d0 Mon Sep 17 00:00:00 2001
From: eldstal <laeder.keps@gmail.com>
Date: Sun, 26 Dec 2021 22:51:02 +0100
Subject: [PATCH 2/2] Added missing bounds check to TriangleMesh constructor.

This fixes issue #5115 and CVE-2020-28590
---
 xs/src/libslic3r/IO.cpp           | 10 ++++------
 xs/src/libslic3r/TriangleMesh.cpp |  9 ++++++++-
 xs/src/libslic3r/TriangleMesh.hpp |  4 ++--
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/xs/src/libslic3r/IO.cpp b/xs/src/libslic3r/IO.cpp
index 323e0b37a6..0a0500a928 100644
--- a/xs/src/libslic3r/IO.cpp
+++ b/xs/src/libslic3r/IO.cpp
@@ -143,12 +143,10 @@ OBJ::read(std::string input_file, Model* model)
             ));
         }
         
-        if (points.size() > 0) {
-          TriangleMesh mesh(points, facets);
-          mesh.check_topology();
-          ModelVolume* volume = object->add_volume(mesh);
-          volume->name        = object->name;
-        }
+        TriangleMesh mesh(points, facets);
+        mesh.check_topology();
+        ModelVolume* volume = object->add_volume(mesh);
+        volume->name        = object->name;
     }
     
     return true;
diff --git a/xs/src/libslic3r/TriangleMesh.cpp b/xs/src/libslic3r/TriangleMesh.cpp
index c13802c1d6..ea04172aff 100644
--- a/xs/src/libslic3r/TriangleMesh.cpp
+++ b/xs/src/libslic3r/TriangleMesh.cpp
@@ -37,7 +37,7 @@ TriangleMesh::TriangleMesh()
     stl_initialize(&this->stl);
 }
 
-TriangleMesh::TriangleMesh(const Pointf3* points, const Point3* facets, size_t n_facets) 
+TriangleMesh::TriangleMesh(const Pointf3* points, size_t n_points, const Point3* facets, size_t n_facets) 
     : repaired(false)
 {
     stl_initialize(&this->stl);
@@ -51,6 +51,13 @@ TriangleMesh::TriangleMesh(const Pointf3* points, const Point3* facets, size_t n
     stl_allocate(&stl);
 
     for (int i = 0; i < stl.stats.number_of_facets; i++) {
+
+        if (facets[i].x >= n_points ||
+            facets[i].y >= n_points ||
+            facets[i].z >= n_points) {
+          throw std::runtime_error("Invalid facet");
+        }
+
         stl_facet facet;
         facet.normal.x = 0;
         facet.normal.y = 0;
diff --git a/xs/src/libslic3r/TriangleMesh.hpp b/xs/src/libslic3r/TriangleMesh.hpp
index 3b1702f938..da6c748593 100644
--- a/xs/src/libslic3r/TriangleMesh.hpp
+++ b/xs/src/libslic3r/TriangleMesh.hpp
@@ -42,7 +42,7 @@ class TriangleMesh
     /// First argument is a container (either vector or array) of Pointf3 for the vertex data.
     /// Second argument is container of facets (currently Point3).
     template <typename Vertex_Cont, typename Facet_Cont>
-    TriangleMesh(const Vertex_Cont& vertices, const Facet_Cont& facets) : TriangleMesh(vertices.data(), facets.data(), facets.size()) {}
+    TriangleMesh(const Vertex_Cont& vertices, const Facet_Cont& facets) : TriangleMesh(vertices.data(), vertices.size(), facets.data(), facets.size()) {}
 
     TriangleMesh(const TriangleMesh &other);
     ///  copy assignment
@@ -163,7 +163,7 @@ class TriangleMesh
     /// Private constructor that is called from the public sphere. 
     /// It doesn't do any bounds checking on points and operates on raw pointers, so we hide it. 
     /// Other constructors can call this one!
-    TriangleMesh(const Pointf3* points, const Point3* facets, size_t n_facets); 
+    TriangleMesh(const Pointf3* points, size_t n_points, const Point3* facets, size_t n_facets); 
 
     /// Perform the mechanics of a stl copy
     void clone(const TriangleMesh& other);