Passing a Gr2 file that uses Oodle0 causes an buffer overflow

[hukasu]

I tried running gr2nfo on a Gr2 that uses Oodle0 and it causes an buffer overflow.

opengr2/libopengrn/oodle1.c

Line 385 in 4e5edd5

memcpy(decompressedData + repeat * backref_offset, decompressedData - backref_offset, remain);

This memcpy writes outside of the bounds of the decompressedData buffer, overwriting points on dictionary->midbits[0].ranges, which later gets called free on, and raising a address violation.

opengr2/libopengrn/gr2_read.c

Line 284 in 4e5edd5

case COMPRESSION_TYPE_OODLE0:

This case is misleading, as it makes it seem as if the algorithm for Oodle1 can decompress Oodle0.

Has the algorithm for Oodle0 existed at any point?

[arves100]

Hello, opengr2 does not support Oodle0 compression so it was expected to not work. As there is no public specification to Oodle0 I cannot implement it on the library

…

On Fri, Aug 23, 2024, 15:57 Lucas Franca ***@***.***> wrote: I tried running gr2nfo on a Gr2 that uses Oodle0 and it causes an buffer overflow. https://github.com/arves100/opengr2/blob/4e5edd5e98dbd69270d40a92ed94cfe16e57955a/libopengrn/oodle1.c#L385 This memcpy writes outside of the bounds of the decompressedData buffer, overwriting points on dictionary->midbits[0].ranges, which later gets called free on, and raising a address violation. https://github.com/arves100/opengr2/blob/4e5edd5e98dbd69270d40a92ed94cfe16e57955a/libopengrn/gr2_read.c#L284 This case is misleading, as it makes it seem as if the algorithm for Oodle1 can decompress Oodle0. Has the algorithm for Oodle0 existed at any point? — Reply to this email directly, view it on GitHub <#7>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABE7QE2DFVZVN6D4DAYSISTZS45VVAVCNFSM6AAAAABNAHWMXGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ4DGMRRGQ4DEOA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>