Hi, i found a controllable memory allocations in BinaryDict::NewFromFile(), which can cause DOS.
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer).
./opencc_dict -i poc -o tmp -f ocd -t text
Then, ASAN would catch the error:
==1805512==ERROR: AddressSanitizer: requested allocation size 0x70000000001 (0x70000001008 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x4ccdfd in operator new(unsigned long) /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
#1 0x7fd7eaf2338d in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14338d)
==1805512==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3 in operator new(unsigned long)
==1805512==ABORTING
Hi, i found a controllable memory allocations in BinaryDict::NewFromFile(), which can cause DOS.
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd -t text
Then, ASAN would catch the error:
poc.zip