unpack reads past the end of a truncated buffer instead of erroring, returning arbitrary process memory as string contents:
julia> rr = pack(Dict("a" => repeat("z", 100)));
julia> unpack(rr[begin:10])["a"]
"zzzzz\xa9\"\x01\0\0\0\xfc\x9e\x8e\xa5\x01\0\0\0\xa3\f\xef,\x01\0\0\0\xdf\x10\x8d\n\atH(\xa8\xcbݳ\xb2\xe8=U\xfc\x9e\x8e\xa5\0eak`#\xda\x0f\x01\0\0\0\0\0\0\0\0\0\0\0\xa3\0\0\0\0\0\0\0\x1d\0\0\0\0\0\0\0A/Apportionment/V"This is related to the crash reported in #57, but it's also a security concern. MsgPack is commonly used in web applications where a server unpacks user-provided data and returns something derived from it — that path can leak server memory to a remote attacker.
Expected behaviour: avoid an unsafe memory read: either throw, or initialize with empty data.
(I tried to report this vulnerability privately to @jrevels and @sjkelly but I did not get a response.)
unpackreads past the end of a truncated buffer instead of erroring, returning arbitrary process memory as string contents:This is related to the crash reported in #57, but it's also a security concern. MsgPack is commonly used in web applications where a server
unpacks user-provided data and returns something derived from it — that path can leak server memory to a remote attacker.Expected behaviour: avoid an unsafe memory read: either throw, or initialize with empty data.
(I tried to report this vulnerability privately to @jrevels and @sjkelly but I did not get a response.)