If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service:
for (x=length;x>0;x-=4)
sum += readbe32(inways);
As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping.
time ttembed hang.useme
real 13m6.415s
user 3m47.487s
sys 9m16.191s
Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.
Hi,
If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service:
As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping.
Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.
This has been assigned CVE-2018-10922.
Reproducer attached.
hang.zip
The text was updated successfully, but these errors were encountered: