Open morningbread opened 1 year ago
Hi, i found a controllable memory allocations in DartsDict::NewFromFile(), which can cause DOS.
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd -t text
Then, ASAN would catch the error:
==2580423==ERROR: AddressSanitizer: requested allocation size 0x1300000000000000 (0x1300000000001000 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0) #0 0x49afcd in malloc /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3 #1 0x7f66425812be in opencc::DartsDict::NewFromFile(_IO_FILE*) /home/coco/work/OpenCC/src/DartsDict.cpp:121:12 #2 0x7f6642511db4 in bool opencc::SerializableDict::TryLoadFromFile<opencc::DartsDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::shared_ptr<opencc::DartsDict>*) /home/coco/work/OpenCC/src/SerializableDict.hpp:62:40 #3 0x7f66425279a7 in std::shared_ptr<opencc::DartsDict> opencc::SerializableDict::NewFromFile<opencc::DartsDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/SerializableDict.hpp:71:10 #4 0x7f66425279a7 in LoadDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coc [poc.zip](https://github.com/BYVoid/OpenCC/files/12727141/poc.zip) o/work/OpenCC/src/DictConverter.cpp:35:12 #5 0x7f66425280f4 in opencc::ConvertDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:65:22 #6 0x4db5cf in main /home/coco/work/OpenCC/src/tools/DictConverter.cpp:48:5 #7 0x7f6641f6c082 in __libc_start_main /build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16 ==2580423==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: allocation-size-too-big /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3 in malloc ==2580423==ABORTING
poc.zip
Hi, i found a controllable memory allocations in DartsDict::NewFromFile(), which can cause DOS.
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd -t text
Then, ASAN would catch the error:
poc.zip