totaam
commented
3 years ago I've looked at some other implementations and some seem to have implemented it the same way and are therefore also vulnerable.
Closed totaam closed 3 years ago
totaam
commented
3 years ago I've looked at some other implementations and some seem to have implemented it the same way and are therefore also vulnerable.
aresch
commented
3 years ago I've fixed this in 572ff74586d9b1daab904c6f7f7009ce0143bb75 with some minor cosmetic changes.
carnil
commented
3 years ago CVE-2021-40839 seems to be assigned to this issue.
risicle
commented
3 years ago Could we have a release please?
opoplawski
commented
2 years ago Yes, a release seems very much in order here. Thanks.
Without this change, one can generate a bytestream which will effectively DoS the software decoding it: the cython decoder will spin at 100% CPU going through the list decoding loop (or dictionary - the same issues also exists there) forever until the system runs out of memory..
Sorry for the bad news. This looks like a CVE is in order.