benjamyn/CyberChef
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
CyberChef/src/core/operations/RawInflate.mjs
XlogicX 32bee35f85
Removal of unnecessary error checking routine 
This situation occurs because the dependancy (zlibjs/bin/rawinflate.min.js) doesn't do a sanity check on distances going back farther than the current buffer.

For example:
DEFLATE data of '123' and then a length of 9 going back a distance of 6
ASCIIHEX: 333432869300

! infgen 3.0 output
!
last			! 1
fixed			! 01
literal '1		! 10000110
literal '2		! 01000110
literal '3		! 11000110
match 9 6		! 1 00100 1110000
infgen warning: distance too far back (6/3)
end			! 0000000
			! 0

We only have 3 characters, we shouldn't be able to seek 6 characters back. But rawinflate.min.js doesn't check for this like the infgen debug tool (and others) would. So CyberChef would happily provide this as the result:
123...123...
Where the dots are just nulls of likley empty memory preceding the actual buffer

So with the example in this source
// e.g. Input data of [8b, 1d, dc, 44]

last			! 1
fixed			! 01
literal ']		! 10110001
match 158 5		! 0 00100 11011 10000011
infgen warning: distance too far back (5/1)

This means we have a literal ']' and then we are asking for 158 more characters and to find them a distance of 5 back. This explains why the ']', why it repeats every 5, and why it is a length > 158.

This code should just be removed; it isn't justified. Being that this issue is a lack of sanity checking in a dependancy, and that this routine only catches the symptom of one of the nearly unlimited edge cases like this, AND it could filter out correct inputs, such as a recipe of this as input to RAWDEFLATE
]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX[]OMG[]HAX
Then getting an error with the INFLATE even though the input is actually valid.
2022-10-06 13:53:32 -04:00

93 lines
2.4 KiB
JavaScript
Raw Blame History

/**
* @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2016
* @license Apache-2.0
*/
import Operation from "../Operation.mjs";
import {INFLATE_BUFFER_TYPE} from "../lib/Zlib.mjs";
import rawinflate from "zlibjs/bin/rawinflate.min.js";
import OperationError from "../errors/OperationError.mjs";
const Zlib = rawinflate.Zlib;
const RAW_BUFFER_TYPE_LOOKUP = {
"Adaptive": Zlib.RawInflate.BufferType.ADAPTIVE,
"Block": Zlib.RawInflate.BufferType.BLOCK,
};
/**
* Raw Inflate operation
*/
class RawInflate extends Operation {
/**
* RawInflate constructor
*/
constructor() {
super();
this.name = "Raw Inflate";
this.module = "Compression";
this.description = "Decompresses data which has been compressed using the deflate algorithm with no headers.";
this.infoURL = "https://wikipedia.org/wiki/DEFLATE";
this.inputType = "ArrayBuffer";
this.outputType = "ArrayBuffer";
this.args = [
{
name: "Start index",
type: "number",
value: 0
},
{
name: "Initial output buffer size",
type: "number",
value: 0
},
{
name: "Buffer expansion type",
type: "option",
value: INFLATE_BUFFER_TYPE
},
{
name: "Resize buffer after decompression",
type: "boolean",
value: false
},
{
name: "Verify result",
type: "boolean",
value: false
}
];
this.checks = [
{
entropyRange: [7.5, 8],
args: [0, 0, INFLATE_BUFFER_TYPE, false, false]
}
];
}
/**
* @param {ArrayBuffer} input
* @param {Object[]} args
* @returns {ArrayBuffer}
*/
run(input, args) {
const inflate = new Zlib.RawInflate(new Uint8Array(input), {
index: args[0],
bufferSize: args[1],
bufferType: RAW_BUFFER_TYPE_LOOKUP[args[2]],
resize: args[3],
verify: args[4]
}),
result = new Uint8Array(inflate.decompress());
// This seems to be the easiest way...
return result.buffer;
}
}
export default RawInflate;
Reference in New Issue View Git Blame Copy Permalink