lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-Gx=GHmBY=XSSj11QG=cva8GFjZ2WgFeBmxJ1hidpyoAyQ@mail.gmail.com>
Date: Sun, 17 Aug 2025 22:21:22 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] liblcf v0.8.1 liblcf/lcf2xml: Untrusted LCF data triggers
 uncaught std::length_error via negative vector resize (DoS)

lcf2xml (part of liblcf) aborts when parsing specially crafted RPG Maker
2000/2003 files that supply a negative element count for vectors of
structured records. The generic reader:

template <class S>

void Struct<S>::ReadLcf(std::vector<S>& vec, LcfReader& stream) {

    int count = stream.ReadInt();

    vec.resize(count);        // <— negative -> huge size_t -> throws
length_error

    for (int i = 0; i < count; i++) {

        IDReader::ReadID(vec[i], stream);

        TypeReader<S>::ReadLcf(vec[i], stream, 0);

    }

}

does not validate count. When count is negative, the implicit conversion to
size_t in std::vector::resize requests an enormous size and the C++ runtime
throws std::length_error, which is uncaught in the tool, causing the
process to terminate. This is a straightforward DoS against any consumer of
untrusted LCF data using liblcf’s readers without guarding exceptions.

The issue reproduces across multiple record types (e.g., Event in LMU,
Troop/TroopPage in LDB).


*Technical Details:*

$ lcf2xml --2k3 <poc.lmu>

terminate called after throwing an instance of 'std::length_error'

  what():  vector::_M_default_append

Aborted

*Backtrace (LMU → Map → Events path):*

#0  std::__throw_length_error(char const*)

#1  std::vector<lcf::rpg::Event>::_M_check_len(__n=18446744073574277089,
...)

#2
std::vector<lcf::rpg::Event>::_M_default_append(__n=18446744073574277089)

#3  lcf::Struct<lcf::rpg::Event>::ReadLcf(vec, stream) at
reader_struct_impl.h:220  // vec.resize(count)

    locals: count = -135274527

#4  TypeReader<std::vector<Event>>::ReadLcf(...)

#5  TypedField<Map, std::vector<Event>>::ReadLcf(...)

#6  lcf::Struct<lcf::rpg::Map>::ReadLcf(...)

#7  lcf::LMU_Reader::Load(...)

#8  ReaderWriteToFile(...) -> lcf2xml main
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ