Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Denial of Service in BinaryDict.cpp #303

Closed
samohyes opened this issue Sep 13, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@samohyes
Copy link

commented Sep 13, 2018

Hi, I am a security fan. And I found an out of bound pointer in BinaryDict.cpp which could lead to segment fault (Denial of Service if some applications use this library). In BinaryDict::NewFromFile, there are two offset which are keyOffset and valueOffset. So if I provide a .ocd file that I can control these two offsets, I can actually make it really big. So the pointers(const char* key and const char* value) will point to unreadable place. I've attached the POCs for these two pointers. Hope you can respond soon :)

POCs.zip

@samohyes

This comment has been minimized.

Copy link
Author

commented Sep 13, 2018

Prove it like this. ./opencc_dict -i POCs -o temp.txt -f ocd -t text

@epico

This comment has been minimized.

Copy link

commented Oct 16, 2018

Sorry, I tried to fix the security issue, but not so familiar with the code.

Just post the draft patch, feel free to comment it.

opencc-check-bounds.patch.gz

@samohyes

This comment has been minimized.

Copy link
Author

commented Oct 16, 2018

Sorry, I tried to fix the security issue, but not so familiar with the code.

Just post the draft patch, feel free to comment it.

opencc-check-bounds.patch.gz

Thanks for reply. The patch looks good!

@samohyes samohyes closed this Oct 16, 2018

@attritionorg

This comment has been minimized.

Copy link

commented Oct 18, 2018

Was the patch merged with a branch? If so, can you link to the fixing commit? Thanks!

@samohyes

This comment has been minimized.

Copy link
Author

commented Oct 18, 2018

Maybe @epico can merge the patch.

@epico

This comment has been minimized.

Copy link

commented Oct 19, 2018

Created pull request #309

@epico

This comment has been minimized.

Copy link

commented Oct 19, 2018

Sorry, I don't have write access to this repository.

Please help merge the patch!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.