Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-10922: Use of Untrusted Length Field May Lead to Denial of Service #2

Open
sgayou opened this Issue Aug 2, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@sgayou
Copy link

sgayou commented Aug 2, 2018

Hi,

If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service:

    for (x=length;x>0;x-=4)
        sum += readbe32(inways);

As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping.

time ttembed hang.useme 


real	13m6.415s
user	3m47.487s
sys	9m16.191s

Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.

This has been assigned CVE-2018-10922.

Reproducer attached.
hang.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.