liblcf v0.8.1 liblcf/lcf2xml: Untrusted LCF data triggers uncaught std::length_error via negative vector resize (DoS)
liblcf工具在解析特定RPG Maker文件时因未验证向量元素数量导致崩溃。当文件提供负数元素计数时,resize函数请求巨大内存空间引发std::length_error异常,未被捕获导致程序终止。此漏洞可被利用进行拒绝服务攻击。 2025-8-19 03:0:12 Author: seclists.org(查看原文) 阅读量:9 收藏
liblcf工具在解析特定RPG Maker文件时因未验证向量元素数量导致崩溃。当文件提供负数元素计数时,resize函数请求巨大内存空间引发std::length_error异常,未被捕获导致程序终止。此漏洞可被利用进行拒绝服务攻击。 2025-8-19 03:0:12 Author: seclists.org(查看原文) 阅读量:9 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 17 Aug 2025 22:21:22 -0400
lcf2xml (part of liblcf) aborts when parsing specially crafted RPG Maker
2000/2003 files that supply a negative element count for vectors of
structured records. The generic reader:
template <class S>
void Struct<S>::ReadLcf(std::vector<S>& vec, LcfReader& stream) {
int count = stream.ReadInt();
vec.resize(count); // <— negative -> huge size_t -> throws
length_error
for (int i = 0; i < count; i++) {
IDReader::ReadID(vec[i], stream);
TypeReader<S>::ReadLcf(vec[i], stream, 0);
}
}
does not validate count. When count is negative, the implicit conversion to
size_t in std::vector::resize requests an enormous size and the C++ runtime
throws std::length_error, which is uncaught in the tool, causing the
process to terminate. This is a straightforward DoS against any consumer of
untrusted LCF data using liblcf’s readers without guarding exceptions.
The issue reproduces across multiple record types (e.g., Event in LMU,
Troop/TroopPage in LDB).
*Technical Details:*
$ lcf2xml --2k3 <poc.lmu>
terminate called after throwing an instance of 'std::length_error'
what(): vector::_M_default_append
Aborted
*Backtrace (LMU → Map → Events path):*
#0 std::__throw_length_error(char const*)
#1 std::vector<lcf::rpg::Event>::_M_check_len(__n=18446744073574277089,
...)
#2
std::vector<lcf::rpg::Event>::_M_default_append(__n=18446744073574277089)
#3 lcf::Struct<lcf::rpg::Event>::ReadLcf(vec, stream) at
reader_struct_impl.h:220 // vec.resize(count)
locals: count = -135274527
#4 TypeReader<std::vector<Event>>::ReadLcf(...)
#5 TypedField<Map, std::vector<Event>>::ReadLcf(...)
#6 lcf::Struct<lcf::rpg::Map>::ReadLcf(...)
#7 lcf::LMU_Reader::Load(...)
#8 ReaderWriteToFile(...) -> lcf2xml main
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- liblcf v0.8.1 liblcf/lcf2xml: Untrusted LCF data triggers uncaught std::length_error via negative vector resize (DoS) Ron E (Aug 18)
文章来源: https://seclists.org/fulldisclosure/2025/Aug/11
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh