Check duplicate issues.
Description
TBasket and TBranch are missing sanity checks in their Streamer methods to verify that reported buffer lengths match with what is actually stored on disk.
In case of TBasket, it is not checking whether fNevBufSize is consistent with fNevBuf.
In case of TBranch, for "very old versions", fMaxBaskets is not checked against the field n.
In both cases the first field is used as the buffer allocation size while the second, independent field on disk is used to iterate over the allocated buffer. If the second fields contains a bigger number than the first, we read/write out of bounds.
Furthermore, TBasket is using ReadArray in an inherently-unsafe manner, since it too uses an independent on-disk field to determine the read size.
Thanks to @offset for the original report!
Reproducer
Full reproducer omitted for brevity, but the idea is creating a TFile containing a TTree and then manipulating the proper bytes on disk to corrupt them. To our knowledge this is not possible through regular ROOT workflows and the file must be edited independently, either maliciously or due to some other corruption.
ROOT version
master
Installation method
any
Operating system
any
Additional context
No response
Check duplicate issues.
Description
TBasket and TBranch are missing sanity checks in their
Streamermethods to verify that reported buffer lengths match with what is actually stored on disk.In case of TBasket, it is not checking whether
fNevBufSizeis consistent withfNevBuf.In case of TBranch, for "very old versions",
fMaxBasketsis not checked against the fieldn.In both cases the first field is used as the buffer allocation size while the second, independent field on disk is used to iterate over the allocated buffer. If the second fields contains a bigger number than the first, we read/write out of bounds.
Furthermore, TBasket is using
ReadArrayin an inherently-unsafe manner, since it too uses an independent on-disk field to determine the read size.Thanks to @offset for the original report!
Reproducer
Full reproducer omitted for brevity, but the idea is creating a TFile containing a TTree and then manipulating the proper bytes on disk to corrupt them. To our knowledge this is not possible through regular ROOT workflows and the file must be edited independently, either maliciously or due to some other corruption.
ROOT version
master
Installation method
any
Operating system
any
Additional context
No response