Graphite icon indicating copy to clipboard operation
Graphite copied to clipboard
verified publisher icon Moulberry

Potential OOM bug/exploit in graphite NBT

Open rj00a opened this issue 3 years ago • 1 comments

In crates/graphite_binary/src/nbt/decode.rs the read_list function uses Vec::with_capacity(length as _). However, length has no upper bound. I believe malicious input could potentially allocate i32::MAX * sizeof(usize) bytes.

The other read functions are correctly bounded.

rj00a avatar Sep 22 '22 11:09 rj00a

Should be fixed by aca938b, will leave issue open until confirmation from a second person

Moulberry avatar Sep 22 '22 12:09 Moulberry