Passing a Gr2 file that uses Oodle0 causes an buffer overflow

[hukasu]

I tried running gr2nfo on a Gr2 that uses Oodle0 and it causes an buffer overflow.

https://github.com/arves100/opengr2/blob/4e5edd5e98dbd69270d40a92ed94cfe16e57955a/libopengrn/oodle1.c#L385 This memcpy writes outside of the bounds of the decompressedData buffer, overwriting points on dictionary->midbits[0].ranges, which later gets called free on, and raising a address violation.

https://github.com/arves100/opengr2/blob/4e5edd5e98dbd69270d40a92ed94cfe16e57955a/libopengrn/gr2_read.c#L284 This case is misleading, as it makes it seem as if the algorithm for Oodle1 can decompress Oodle0.

Has the algorithm for Oodle0 existed at any point?

[arves100]

Hello, opengr2 does not support Oodle0 compression so it was expected to not work. As there is no public specification to Oodle0 I cannot implement it on the library

On Fri, Aug 23, 2024, 15:57 Lucas Franca @.***> wrote:

I tried running gr2nfo on a Gr2 that uses Oodle0 and it causes an buffer overflow.

https://github.com/arves100/opengr2/blob/4e5edd5e98dbd69270d40a92ed94cfe16e57955a/libopengrn/oodle1.c#L385 This memcpy writes outside of the bounds of the decompressedData buffer, overwriting points on dictionary->midbits[0].ranges, which later gets called free on, and raising a address violation.

https://github.com/arves100/opengr2/blob/4e5edd5e98dbd69270d40a92ed94cfe16e57955a/libopengrn/gr2_read.c#L284 This case is misleading, as it makes it seem as if the algorithm for Oodle1 can decompress Oodle0.

Has the algorithm for Oodle0 existed at any point?

— Reply to this email directly, view it on GitHub https://github.com/arves100/opengr2/issues/7, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABE7QE2DFVZVN6D4DAYSISTZS45VVAVCNFSM6AAAAABNAHWMXGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ4DGMRRGQ4DEOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>