Fix potential OOB access during huffman decompression #396
Conversation
If 'readsize' is equal to the size of the input buffer, there's potentially OOB access because the while loop increases the bit offset and only checks the nodes from the huffman tree and not whether the number of bits exceeds 'readsize'. This won't lead to problems if the size of input buffer is greater than 'readsize' but still a design flaw.
…ompression If the OOB check is only included in the while evaluation, it's possible the 0x07 / EOF byte is never returned from this function.
| @@ -61,6 +61,13 @@ static void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset ) | |||
| node = node->left; | |||
|
|
|||
| } | |||
|
|
|||
| if ( bloc >= readsize ) { | |||
| //Com_PrintError("OOB buffer access\n"); | |||
There was a problem hiding this comment.
Looks like it's worth printing. Why comment it? 😄
|
Hi, why this is not merged? Can't server still get crashed if not fixing |
|
ah my bad, i thought this project was still active |
|
Hi, it's not merged because it's not tested yet. |
Ah ok, some exploits don't seem easy to do |
|
If this bug was easily exploitable, it wouldn't have been publicly disclosed before fixing it. |
If 'readsize' is equal to the size of the input buffer, there's potentially OOB access because the while loop increases the bit offset and only checks the nodes from the huffman tree and not whether the number of bits exceeds 'readsize'. This won't lead to problems if the size of input buffer is greater than 'readsize' but still a design flaw.