|
Boost Users : |
From: __PPS__ (i-love-spam_at_[hidden])
Date: 2005-11-26 04:45:14
in simplest case std::string is serialized this way:
length|string data.
in this case it's possible to feed invalid data to deserialization
function so that application stalls waiting for the os to reserve huge
pile or ram, or fails with bad alloc.
this invalid data could be intentionally manually edited or as well it
could be the case where you serialize ints and then try to deserialize
data as strings (or whatever else).
isn't it possible to have archives such check somehow the size of
available stream data. (eg, for stringstream), or archives that
initialized with a data pointer and the size of the data pointed by that
pointer or maybe something else
here's a complete example that shows such problem in action
/////////////////////////////
#include <iostream>
#include <fstream>
#include <string>
#include <ctime>
#include <boost/archive/text_oarchive.hpp>
#include <boost/archive/binary_iarchive.hpp>
#include <boost/serialization/serialization.hpp>
using namespace std;
using namespace boost::archive;
int main()try{
string s1 = "Hello world!", s2;
{
ofstream file("data.txt", ios::binary | ios::trunc);
text_oarchive a(file, no_header);
a << s1;
}
time_t t(time(0));
{
ifstream file("data.txt", ios::binary);
binary_iarchive a(file, no_header);
a >> s2;
}
cout << "time elapsed: " << (time(0)-t) << "s" << endl;
cout << "s2.size() => " << s2.size() << "\n"
"s2 => \"" << s2.substr(0,64) << "...\"" << endl;
}catch(const exception &e){
cout << "error: " << e.what() << endl;
}
/////////////////////////////
and the output I got on win xp:
time elapsed: 110s
s2.size() => 1210069553
s2 => "ello world! ..."
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net