Fwd: Crypto++ and invalid read in decompressor class
---------- Forwarded message ----------
From: Jeffrey Walton <[hidden email]>
Date: Mon, Jun 5, 2017 at 9:32 PM
Subject: Crypto++ and invalid read in decompressor class
To: [hidden email]
Crypto++'s (https://www.cryptopp.com/) is a free and open source
library of cryptographic schemes originally written by Wei Dai. Smart
fuzzing revealed Crypto++'s Zinflate class, used by classes like
Gunzip and Inflator, could perform an out-of-bounds read when
The out-of-bounds read occurs on a table with 30 elements. The table
is static and its storage is allocated in initialized memory. The
attacker can craft a ZIP file that allows a read of the last two
non-existent elements. We believe an attacker can only read 0-bytes
due to the storage allocation. We were not able to escalate it to a
write. We believe its a low risk finding.
We were not able to induce failures in other classes using the
techniques. Other classes include those that are related, like
compressors; and those which are unrelated, like public and private
You received this message because you are subscribed to the "Crypto++ Users" Google Group.
To unsubscribe, send an email to [hidden email].
More information about Crypto++ and this group is available at http://www.cryptopp.com.
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.