OpenCC Controllable memory allocations in BinaryDict::NewFromFile(), which can cause DOS

Controllable memory allocations in BinaryDict::NewFromFile(), which can cause DOS

Open morningbread opened this issue 9 months ago • 0 comments

Hi, i found a controllable memory allocations in BinaryDict::NewFromFile(), which can cause DOS.

I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd -t text

Then, ASAN would catch the error:

==1805512==ERROR: AddressSanitizer: requested allocation size 0x70000000001 (0x70000001008 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    
#0 0x4ccdfd in operator new(unsigned long) /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
#1 0x7fd7eaf2338d in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14338d)

==1805512==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3 in operator new(unsigned long)
==1805512==ABORTING

poc.zip

Sep 26 '23 11:09 morningbread

OpenCC OpenCC copied to clipboard

Controllable memory allocations in BinaryDict::NewFromFile(), which can cause DOS

OpenCC
OpenCC copied to clipboard