Closed totaam closed 3 years ago
I've looked at some other implementations and some seem to have implemented it the same way and are therefore also vulnerable.
I've fixed this in 572ff74586d9b1daab904c6f7f7009ce0143bb75 with some minor cosmetic changes.
CVE-2021-40839 seems to be assigned to this issue.
Could we have a release please?
Yes, a release seems very much in order here. Thanks.
Without this change, one can generate a bytestream which will effectively DoS the software decoding it: the cython decoder will spin at 100% CPU going through the list decoding loop (or dictionary - the same issues also exists there) forever until the system runs out of memory..
Sorry for the bad news. This looks like a CVE is in order.