Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent crafted DOS attack. #2501

Merged
merged 1 commit into from
Aug 10, 2023
Merged

Prevent crafted DOS attack. #2501

merged 1 commit into from
Aug 10, 2023

Conversation

JimBobSquarePants
Copy link
Member

@JimBobSquarePants JimBobSquarePants commented Aug 1, 2023

Prerequisites

  • I have written a descriptive pull-request title
  • I have verified that there are no overlapping pull-requests open
  • I have verified that I am following the existing coding patterns and practice as demonstrated in the repository. These follow strict Stylecop rules 👮.
  • I have provided test coverage for my change (where applicable)

Description

It's possible to cause the library to hang with a crafted byte array targetting the PBM decoder. This PR fixes that vulnarability. All other formats correctly test for the end of the stream.

@@ -28,7 +28,7 @@ public static void SkipWhitespaceAndComments(this BufferedReadStream stream)
{
innerValue = stream.ReadByte();
}
while (innerValue != 0x0a);
while (innerValue is not 0x0a and not -0x1);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should a similar check be added also in line 52 ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

int current = stream.ReadByte() - 0x30;
if ((uint)current > 9)
{
    break;
}

In case of EOF current == -1 -0x30 == -0x31. (uint)-0x31 == SomeHighNum > 9.

Nevertheless, a test case might be nice, these infinite loops are dangerous. 💀

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's why I left it. We actually enter that loop in ReadDecimal with this test, but I'll double check before merging.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cover this code with the test so I'm happy. I'll open another PR after this one to backport the fix to 2.X

Copy link
Member

@antonfirsov antonfirsov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shall merge and publish this, the faster the better. It also needs a 2.1 backport, which I would be happy to do, but I have no computer access until Monday.

JimBobSquarePants added a commit that referenced this pull request Aug 10, 2023
@JimBobSquarePants JimBobSquarePants mentioned this pull request Aug 10, 2023
4 tasks
@JimBobSquarePants
Copy link
Member Author

JimBobSquarePants commented Aug 10, 2023

We shall merge and publish this, the faster the better. It also needs a 2.1 backport, which I would be happy to do, but I have no computer access until Monday.

Done #2509

I was hoping to get the gif fixes in asap but they'll have to wait if I cannot get hem reviewed.

@JimBobSquarePants JimBobSquarePants merged commit 77d49e6 into main Aug 10, 2023
21 checks passed
@JimBobSquarePants JimBobSquarePants deleted the js/pbm-dos branch August 10, 2023 09:46
JimBobSquarePants added a commit that referenced this pull request Aug 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants