Skip to content
This repository has been archived by the owner on Dec 22, 2022. It is now read-only.

CVE-2018-10922: Use of Untrusted Length Field May Lead to Denial of Service #2

Closed
sgayou opened this issue Aug 2, 2018 · 0 comments

Comments

@sgayou
Copy link

sgayou commented Aug 2, 2018

Hi,

If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service:

    for (x=length;x>0;x-=4)
        sum += readbe32(inways);

As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping.

time ttembed hang.useme 


real	13m6.415s
user	3m47.487s
sys	9m16.191s

Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.

This has been assigned CVE-2018-10922.

Reproducer attached.
hang.zip

@sgayou sgayou closed this as completed Oct 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant