Check duplicate issues.
Description
TFile::Recover doesn't properly validate the amount of bytes it attempts to read from disk with ReadKeyBuffer against its maximum buffer length.
As a consequence it is possible that a corrupted or maliciously-crafted TFile causes out of bounds stack reads up to 2GB.
Thanks to @offset for the original report
Reproducer
Create a TFile that causes a Recover upon open (e.g. by setting fEND to 0) and has a key whose reported name length is much longer than the actual payload of the string, then open it.
ROOT version
master
Installation method
any
Operating system
any
Additional context
No response
Check duplicate issues.
Description
TFile::Recoverdoesn't properly validate the amount of bytes it attempts to read from disk withReadKeyBufferagainst its maximum buffer length.As a consequence it is possible that a corrupted or maliciously-crafted TFile causes out of bounds stack reads up to 2GB.
Thanks to @offset for the original report
Reproducer
Create a TFile that causes a Recover upon open (e.g. by setting fEND to 0) and has a key whose reported name length is much longer than the actual payload of the string, then open it.
ROOT version
master
Installation method
any
Operating system
any
Additional context
No response