New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

::crypto::tink::JsonKeysetReader may crash on invalid input before tink-cc version 2.1.3. #4

Open

juergw opened this issue May 2, 2024 · 0 comments

Assignees

Contributor

juergw commented May 2, 2024

::crypto::tink::JsonKeysetReader parses keysets in Tink's JSON proto keyset format.

In older releases of tink-cc, there were some cases where it would crash on some invalid inputs. Here is an example:

constexpr absl::string_view kJsonTink = "NDMyNjg4NTA5MjQxMjUzMDczCg=="; // Encodes an integer
std::string decoded_key;
absl::Base64Unescape(kJsonTink, &decoded_key);
auto json_result = crypto::tink::JsonKeysetReader::New(decoded_key);
EXPECT_OK(json_result);
auto keyset_result = json_result.value()->Read(); // Will cause a crash

also, large and highly nested inputs were able to cause the stack to overflow.

Both of these issue are fixed in release 2.1.3.
See da091f8 and dfbbe8f.

The text was updated successfully, but these errors were encountered:

tholenst assigned juergw

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment