Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent crafted DOS attack. #2501

Merged
merged 1 commit into from Aug 10, 2023
Merged

Prevent crafted DOS attack. #2501

merged 1 commit into from Aug 10, 2023
+12 −1

Conversation

JimBobSquarePants
Copy link
Member

@JimBobSquarePants JimBobSquarePants commented Aug 1, 2023
edited

Prerequisites

  • I have written a descriptive pull-request title
  • I have verified that there are no overlapping pull-requests open
  • I have verified that I am following the existing coding patterns and practice as demonstrated in the repository. These follow strict Stylecop rules 👮.
  • I have provided test coverage for my change (where applicable)

Description

It's possible to cause the library to hang with a crafted byte array targetting the PBM decoder. This PR fixes that vulnarability. All other formats correctly test for the end of the stream.

ynse01
ynse01 reviewed Aug 1, 2023
View reviewed changes
src/ImageSharp/Formats/Pbm/BufferedReadStreamExtensions.cs
@@ -28,7 +28,7 @@ public static void SkipWhitespaceAndComments(this BufferedReadStream stream)
{
innerValue = stream.ReadByte();
}
while (innerValue != 0x0a);
while (innerValue is not 0x0a and not -0x1);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should a similar check be added also in line 52 ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

int current = stream.ReadByte() - 0x30;
if ((uint)current > 9)
{
    break;
}

In case of EOF current == -1 -0x30 == -0x31. (uint)-0x31 == SomeHighNum > 9.

Nevertheless, a test case might be nice, these infinite loops are dangerous. 💀

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's why I left it. We actually enter that loop in ReadDecimal with this test, but I'll double check before merging.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cover this code with the test so I'm happy. I'll open another PR after this one to backport the fix to 2.X

antonfirsov
antonfirsov approved these changes Aug 10, 2023
View reviewed changes
Copy link
Member

@antonfirsov antonfirsov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shall merge and publish this, the faster the better. It also needs a 2.1 backport, which I would be happy to do, but I have no computer access until Monday.

JimBobSquarePants added a commit that referenced this pull request Aug 10, 2023
@JimBobSquarePants
Backport #2501
e0d14b1
@JimBobSquarePants JimBobSquarePants mentioned this pull request Aug 10, 2023
Merged
4 tasks
@JimBobSquarePants
Copy link
Member Author

JimBobSquarePants commented Aug 10, 2023
edited

We shall merge and publish this, the faster the better. It also needs a 2.1 backport, which I would be happy to do, but I have no computer access until Monday.

Done #2509

I was hoping to get the gif fixes in asap but they'll have to wait if I cannot get hem reviewed.

@JimBobSquarePants JimBobSquarePants merged commit 77d49e6 into main Aug 10, 2023
22 checks passed
@JimBobSquarePants JimBobSquarePants deleted the js/pbm-dos branch August 10, 2023 09:46
JimBobSquarePants added a commit that referenced this pull request Aug 11, 2023
@JimBobSquarePants
Merge pull request #2509 from SixLabors/backport/2501
d1b52a2 
Backport #2501
@JimBobSquarePants JimBobSquarePants mentioned this pull request Aug 23, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ynse01 ynse01 ynse01 left review comments

@tocsoft tocsoft tocsoft approved these changes

@antonfirsov antonfirsov antonfirsov approved these changes

@dlemstra dlemstra Awaiting requested review from dlemstra

@brianpopow brianpopow Awaiting requested review from brianpopow

Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@JimBobSquarePants @tocsoft @antonfirsov @ynse01