Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

liblcf v0.8.1 liblcf/lcf2xml: Untrusted LCF data triggers uncaught std::length_error via negative vector resize (DoS)

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 17 Aug 2025 22:21:22 -0400
lcf2xml (part of liblcf) aborts when parsing specially crafted RPG Maker
2000/2003 files that supply a negative element count for vectors of
structured records. The generic reader:

template <class S>

void Struct<S>::ReadLcf(std::vector<S>& vec, LcfReader& stream) {

    int count = stream.ReadInt();

    vec.resize(count);        // <— negative -> huge size_t -> throws
length_error

    for (int i = 0; i < count; i++) {

        IDReader::ReadID(vec[i], stream);

        TypeReader<S>::ReadLcf(vec[i], stream, 0);

    }

}

does not validate count. When count is negative, the implicit conversion to
size_t in std::vector::resize requests an enormous size and the C++ runtime
throws std::length_error, which is uncaught in the tool, causing the
process to terminate. This is a straightforward DoS against any consumer of
untrusted LCF data using liblcf’s readers without guarding exceptions.

The issue reproduces across multiple record types (e.g., Event in LMU,
Troop/TroopPage in LDB).


*Technical Details:*

$ lcf2xml --2k3 <poc.lmu>

terminate called after throwing an instance of 'std::length_error'

  what():  vector::_M_default_append

Aborted

*Backtrace (LMU → Map → Events path):*

#0  std::__throw_length_error(char const*)

#1  std::vector<lcf::rpg::Event>::_M_check_len(__n=18446744073574277089,
...)

#2
std::vector<lcf::rpg::Event>::_M_default_append(__n=18446744073574277089)

#3  lcf::Struct<lcf::rpg::Event>::ReadLcf(vec, stream) at
reader_struct_impl.h:220  // vec.resize(count)

    locals: count = -135274527

#4  TypeReader<std::vector<Event>>::ReadLcf(...)

#5  TypedField<Map, std::vector<Event>>::ReadLcf(...)

#6  lcf::Struct<lcf::rpg::Map>::ReadLcf(...)

#7  lcf::LMU_Reader::Load(...)

#8  ReaderWriteToFile(...) -> lcf2xml main
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: