-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decompressing untrusted input is unsafe #7
Comments
I should have mentioned that it doesn't seem to be safe to rely on the Here is a quick test: #include <assert.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "wfLZ.h"
#define LOREM_IPSUM \
"Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed vulputate " \
"lectus nisl, vitae ultricies justo dictum nec. Vestibulum ante ipsum " \
"primis in faucibus orci luctus et ultrices posuere cubilia Curae; " \
"Suspendisse suscipit quam a lectus adipiscing, sed tempor purus " \
"cursus. Vivamus id nulla eget elit eleifend molestie. Integer " \
"sollicitudin lorem enim, eu eleifend orci facilisis sed. Pellentesque " \
"sodales luctus enim vel viverra. Cras interdum vel nisl in " \
"facilisis. Curabitur sollicitudin tortor vel congue " \
"auctor. Suspendisse egestas orci vitae neque placerat blandit.\n" \
"\n" \
"Aenean sed nisl ultricies, vulputate lorem a, suscipit nulla. Donec " \
"egestas volutpat neque a eleifend. Nullam porta semper " \
"nunc. Pellentesque adipiscing molestie magna, quis pulvinar metus " \
"gravida sit amet. Vestibulum mollis et sapien eu posuere. Quisque " \
"tristique dignissim ante et aliquet. Phasellus vulputate condimentum " \
"nulla in vulputate.\n" \
"\n" \
"Nullam volutpat tellus at nisi auctor, vitae mattis nibh viverra. Nunc " \
"vitae lectus tristique, ultrices nibh quis, lobortis elit. Curabitur " \
"at vestibulum nisi, nec facilisis ante. Nulla pharetra blandit lacus, " \
"at sodales nulla placerat eget. Nulla congue varius tortor, sit amet " \
"tempor est mattis nec. Praesent vitae tristique ipsum, rhoncus " \
"tristique lorem. Sed et erat tristique ligula accumsan fringilla eu in " \
"urna. Donec dapibus hendrerit neque nec venenatis. In euismod sapien " \
"ipsum, auctor consectetur mi dapibus hendrerit.\n" \
"\n" \
"Phasellus sagittis rutrum velit, in sodales nibh imperdiet a. Integer " \
"vitae arcu blandit nibh laoreet scelerisque eu sit amet eros. Aenean " \
"odio felis, aliquam in eros at, ornare luctus magna. In semper " \
"tincidunt nunc, sollicitudin gravida nunc laoreet eu. Cras eu tempor " \
"sapien, ut dignissim elit. Proin eleifend arcu tempus, semper erat et, " \
"accumsan erat. Praesent vulputate diam mi, eget mollis leo " \
"pellentesque eget. Aliquam eu tortor posuere, posuere velit sed, " \
"suscipit eros. Nam eu leo vitae mauris condimentum lobortis non quis " \
"mauris. Nulla venenatis fringilla urna nec venenatis. Nam eget velit " \
"nulla. Proin ut malesuada felis. Suspendisse vitae nunc neque. Donec " \
"faucibus tempor lacinia. Vivamus ac vulputate sapien, eget lacinia " \
"nisl.\n" \
"\n" \
"Curabitur eu dolor molestie, ullamcorper lorem quis, egestas " \
"urna. Suspendisse in arcu sed justo blandit condimentum. Ut auctor, " \
"sem quis condimentum mattis, est purus pulvinar elit, quis viverra " \
"nibh metus ac diam. Etiam aliquet est eu dui fermentum consequat. Cras " \
"auctor diam eget bibendum sagittis. Aenean elementum purus sit amet " \
"sem euismod, non varius felis dictum. Aliquam tempus pharetra ante a " \
"sagittis. Curabitur ut urna felis. Etiam sed vulputate nisi. Praesent " \
"at libero eleifend, sagittis quam a, varius sapien."
#define LOREM_IPSUM_LENGTH ((size_t) 2725)
typedef struct _wfLZ_Header {
char sig[4]; // this can be WFLZ for a single compressed block, or ZLFW for a block-compressed stream
uint32_t compressedSize;
uint32_t decompressedSize;
/* wfLZ_Block firstBlock; */
} wfLZ_Header;
int main(int argc, char *argv[]) {
size_t compressed_size = wfLZ_GetMaxCompressedSize ((uint32_t) LOREM_IPSUM_LENGTH);
uint8_t* compressed = (uint8_t*) malloc(compressed_size);
uint8_t decompressed[LOREM_IPSUM_LENGTH];
size_t decompressed_size;
uint8_t* work_mem = (uint8_t*) malloc (wfLZ_GetWorkMemSize ());
compressed_size = (size_t) wfLZ_CompressFast (LOREM_IPSUM, (uint32_t) LOREM_IPSUM_LENGTH,
compressed, work_mem, 0);
/* Now try to decompress progressively smaller slices of the
compressed buffer. */
while (--compressed_size > 16) {
decompressed_size = sizeof(decompressed);
compressed = (uint8_t*) realloc(compressed, compressed_size);
((wfLZ_Header*) compressed)->compressedSize = (uint32_t) compressed_size - 16;
wfLZ_Decompress (compressed, decompressed);
}
wfLZ_Decompress (compressed, decompressed);
assert (memcmp (LOREM_IPSUM, decompressed, LOREM_IPSUM_LENGTH) == 0);
free (compressed);
free (work_mem);
printf("Works\n");
return 0;
} Compile with AddressSanitizer, and you get something like:
|
wfLZ_Decompress
does not allow you to provide a length parameter for thein
buffer, so there is no way to prevent it from reading outside the input buffer. Anyone who can control the compressed data can trick the decompressor into reading extra data, possibly causing unwanted information disclosure or a crash.The text was updated successfully, but these errors were encountered: