liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service
一个精心制作的RPG Maker存档文件会导致liblcf库中的整数溢出问题,进而引发内存分配错误和结构解析错误,最终导致程序崩溃或拒绝服务攻击。 2025-8-19 03:0:9 Author: seclists.org(查看原文) 阅读量:11 收藏
一个精心制作的RPG Maker存档文件会导致liblcf库中的整数溢出问题,进而引发内存分配错误和结构解析错误,最终导致程序崩溃或拒绝服务攻击。 2025-8-19 03:0:9 Author: seclists.org(查看原文) 阅读量:11 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 17 Aug 2025 22:16:39 -0400
A crafted RPG Maker save file (`.lsd`) can trigger an integer overflow in liblcf’s lcfstrings compressed integer decoding logic (`LcfReader::ReadInt()`), resulting in an unbounded shift and accumulation loop. The overflowed value is later used in buffer size allocations and structure parsing, causing large memory access requests and parsing errors. *Steps to Reproduce* 1. Use the attached `.lsd` file (see PoC section). 2. Run: `./lcfstrings poc_overflow.lsd` 3. Observe invalid reads such as: - `Read 4294967205 bytes!` - Multiple `Invalid Primitive` and `Corrupted Chunk` warnings - Crash or excessive memory consumption in affected builds *Proof of Concept:* A `.lsd` file with a malformed compressed integer containing 11 bytes of `0xFF` followed by `0x7F` triggers the overflow. This causes the loop in `ReadInt()` to shift left repeatedly and accumulate a 32-bit integer overflow (e.g., `0xFFFFFFFF`), resulting in corrupted internal values. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service Ron E (Aug 18)
文章来源: https://seclists.org/fulldisclosure/2025/Aug/9
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh