search

BYVoid / OpenCC

Conversion between Traditional and Simplified Chinese
https://opencc.byvoid.com/
Apache License 2.0
8.46k stars 982 forks source link

Controllable memory allocations in DartsDict::NewFromFile(), which can cause DOS #816

Open morningbread opened 1 year ago

morningbread commented 1 year ago

Hi, i found a controllable memory allocations in DartsDict::NewFromFile(), which can cause DOS.

I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd -t text

Then, ASAN would catch the error:

==2580423==ERROR: AddressSanitizer: requested allocation size 0x1300000000000000 (0x1300000000001000 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x49afcd in malloc /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7f66425812be in opencc::DartsDict::NewFromFile(_IO_FILE*) /home/coco/work/OpenCC/src/DartsDict.cpp:121:12
#2 0x7f6642511db4 in bool opencc::SerializableDict::TryLoadFromFile<opencc::DartsDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::shared_ptr<opencc::DartsDict>*) /home/coco/work/OpenCC/src/SerializableDict.hpp:62:40
#3 0x7f66425279a7 in std::shared_ptr<opencc::DartsDict> opencc::SerializableDict::NewFromFile<opencc::DartsDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/SerializableDict.hpp:71:10
#4 0x7f66425279a7 in LoadDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coc
[poc.zip](https://github.com/BYVoid/OpenCC/files/12727141/poc.zip)
o/work/OpenCC/src/DictConverter.cpp:35:12
#5 0x7f66425280f4 in opencc::ConvertDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:65:22
#6 0x4db5cf in main /home/coco/work/OpenCC/src/tools/DictConverter.cpp:48:5
#7 0x7f6641f6c082 in __libc_start_main /build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16

==2580423==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3 in malloc
==2580423==ABORTING

poc.zip