search

Francesco149 / oppai-ng

difficulty and pp calculator for osu!. better, smaller, faster rewrite of https://github.com/Francesco149/oppai
The Unlicense
155 stars 36 forks source link

Overflow in call to m_alloc #54

Closed tadeokondrak closed 5 years ago

tadeokondrak commented 5 years ago

here

With this file, m_alloc will be passed a number larger than sizeof(int) and crash:

[General]
Mode: 1
[HitObjects]
0,0,0,2,0,0,999999999,0,0,0,0,0,0

Would submit a PR to fix but I'm not sure of the underlying reasons why some functions take the types they do so I'd probably get it wrong

tadeokondrak commented 5 years ago

Also, with

[General]
Mode: 1
[HitObjects]
0,0,0,2,0,0,-5,0,0
0,0,0,2,0,0,0,0,0

malloc will be passed a negative number and cause memory corruption.

So, a fix would be something like

if (nodes < 1) {
    return ERR_SYNTAX;
} else if (/* calculate if sizeof(int)*nodes fits into an int */) {
    return ERR_OOM;
}
Francesco149 commented 5 years ago

nice find, this could be used to DDOS services relying on oppai, lol

will fix asap