-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix potential OOB access during huffman decompression #396
base: master
Are you sure you want to change the base?
Conversation
If 'readsize' is equal to the size of the input buffer, there's potentially OOB access because the while loop increases the bit offset and only checks the nodes from the huffman tree and not whether the number of bits exceeds 'readsize'. This won't lead to problems if the size of input buffer is greater than 'readsize' but still a design flaw.
…ompression If the OOB check is only included in the while evaluation, it's possible the 0x07 / EOF byte is never returned from this function.
@@ -61,6 +61,13 @@ static void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset ) | |||
node = node->left; | |||
|
|||
} | |||
|
|||
if ( bloc >= readsize ) { | |||
//Com_PrintError("OOB buffer access\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like it's worth printing. Why comment it? 😄
Hi, why this is not merged? Can't server still get crashed if not fixing |
ah my bad, i thought this project was still active |
Hi, it's not merged because it's not tested yet. |
Ah ok, some exploits don't seem easy to do |
If this bug was easily exploitable, it wouldn't have been publicly disclosed before fixing it. |
If 'readsize' is equal to the size of the input buffer, there's potentially OOB access because the while loop increases the bit offset and only checks the nodes from the huffman tree and not whether the number of bits exceeds 'readsize'. This won't lead to problems if the size of input buffer is greater than 'readsize' but still a design flaw.