A failure to validate an untrusted length field could potentially lead to a denial of service condition.
Acknowledgments: Name: Scott Gayou (Red Hat)
time ttembed hang.useme real 13m6.415s user 3m47.487s sys 9m16.191s
Unembargoed due to very low impact. Upstream notified.
Created ttembed tracking bugs for this issue: Affects: fedora-all [bug 1611683]
Upstream Issue: https://github.com/hisdeedsaredust/ttembed/issues/2
If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service: for (x=length;x>0;x-=4) sum += readbe32(inways); As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping. time ttembed hang.useme real 13m6.415s user 3m47.487s sys 9m16.191s Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.