-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
memory exhausted in oabd_decompress() #25
Comments
Thank you for reporting this, but I'm not sure this is a bug. Treating it like one, and putting an arbitrary limit on the size of this field, would violate the MS-OXOAB specification being implemented. It's up to code controlling libmspack to set hard memory usage limits, if such limits are desired. Use a custom The definition of the
Putting an arbitrary limit in place is an exercise in futility - it's completely arbitrary what you would consider "too large" buffer size for a "small" file, so any size I choose might again be called "too large" until you feel happy. And from the other direction, the smaller I make the arbitrary limit, the more likely real OAB files exist that surpass that limit, and they will be permanently prevented from unpacking by such a change, infuriating those users. The right thing for people who think this allocation is "too large" is to customise their I can accept this as a feature enhancement request to re-write oabd to work with any buffer size, and only use the header field as a hint. |
I've implemented the new feature; OAB decompression now uses a user-controllable fixed-size buffer for copying uncompressed blocks, rather than needing a memory allocation that's as large as the largest block ( |
Description:
function oabd_decompress() in libmspack has a memory exhausted problem
Affected version:
libmspack 0.9.1 alpha
Details:
Critical code: oabd.c line 132~149:
In function
oabd_decompress()
in file oabd.c(line 132~149),block_max
was read from oab file and lately allocate memory of sizeblock_max
, without check whetherblock_max
is valid, Carefully constructed oab file will lead to memory exhausted problem.
block_max
is 32bit, it can be as large as0xffffffff
. The maximum memory usage ofoabd_decompress()
can be 4G RAM, even if the input file is very small.poc file
https://github.com/JsHuang/pocs/blob/master/libmspack/oom-oab
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: