Full Disclosure mailing list archives

liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 17 Aug 2025 22:16:39 -0400

A crafted RPG Maker save file (`.lsd`) can trigger an integer overflow in
liblcf’s lcfstrings compressed integer decoding logic
(`LcfReader::ReadInt()`), resulting in an unbounded shift and accumulation
loop. The overflowed value is later used in buffer size allocations and
structure parsing, causing large memory access requests and parsing errors.


*Steps to Reproduce*


1. Use the attached `.lsd` file (see PoC section).

2. Run: `./lcfstrings poc_overflow.lsd`

3. Observe invalid reads such as:

   - `Read 4294967205 bytes!`

   - Multiple `Invalid Primitive` and `Corrupted Chunk` warnings

   - Crash or excessive memory consumption in affected builds


*Proof of Concept:*


A `.lsd` file with a malformed compressed integer containing 11 bytes of
`0xFF` followed by `0x7F` triggers the overflow. This causes the loop in
`ReadInt()` to shift left repeatedly and accumulate a 32-bit integer
overflow (e.g., `0xFFFFFFFF`), resulting in corrupted internal values.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service Ron E (Aug 18)