| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-Gy3tFNUw-VomztRmwZg_AUUoVNCbA4UmxMiwY2Po2TmiQ@mail.gmail.com> Date: Sun, 17 Aug 2025 22:16:39 -0400 From: Ron E <ronaldjedgerson@...il.com> To: fulldisclosure@...lists.org Subject: [FD] liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service A crafted RPG Maker save file (`.lsd`) can trigger an integer overflow in liblcf’s lcfstrings compressed integer decoding logic (`LcfReader::ReadInt()`), resulting in an unbounded shift and accumulation loop. The overflowed value is later used in buffer size allocations and structure parsing, causing large memory access requests and parsing errors. *Steps to Reproduce* 1. Use the attached `.lsd` file (see PoC section). 2. Run: `./lcfstrings poc_overflow.lsd` 3. Observe invalid reads such as: - `Read 4294967205 bytes!` - Multiple `Invalid Primitive` and `Corrupted Chunk` warnings - Crash or excessive memory consumption in affected builds *Proof of Concept:* A `.lsd` file with a malformed compressed integer containing 11 bytes of `0xFF` followed by `0x7F` triggers the overflow. This causes the loop in `ReadInt()` to shift left repeatedly and accumulate a 32-bit integer overflow (e.g., `0xFFFFFFFF`), resulting in corrupted internal values. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists