OpenCC, Out-of-bounds Read, CVE-2023-XXXXX (Medium)

Listen to this Post

The vulnerabilities stem from improper length validation in UTF-8 processing within two distinct code paths: `MaxMatchSegmentation::Segment` and Conversion::Convert. The core issue is the failure to enforce the invariant that matchedLength <= remainingLength. When OpenCC encounters malformed or truncated UTF-8 input, it derives a character length from the invalid data. Instead of verifying this derived length against the actual buffer space left, the code trusts the value. This leads to a desynchronization where the pointer advances beyond the intended bounds. In MaxMatchSegmentation::Segment, this causes out-of-bounds reads during prefix matching. In Conversion::Convert, the pointer can pass the null terminator, reading adjacent heap or stack memory. The failure chain is triggered by invalid UTF-8, resulting in an incorrect length derivation, an incorrect pointer advance, and a desync in remaining-length tracking. The fix in PR 1005 resolves this by explicitly tracking input boundaries, recomputing remaining lengths per iteration, and clamping processed lengths to maintain buffer-bound invariants.
Platform: OpenCC
Version: <1.2.0
Vulnerability: Out-of-bounds Read
Severity: Medium
Date: 2026-03-30

Prediction: Patch released (1.2.0)

What Undercode Say:

Analytics indicate that exploitation relies on feeding malformed UTF-8 sequences. Systems using package managers (apt, yum, pip) with outdated versions are at risk. Builds without ASan may not immediately crash but can leak memory.

Check installed version
opencc --version
Test for vulnerability (requires ASan build or valgrind)
echo -n "Invalid UTF-8: \xE0\x80" | ./vulnerable_opencc -c zhs2zht
Compile with AddressSanitizer for detection
gcc -fsanitize=address -o opencc_test opencc.c

Exploit:

An attacker supplies a string ending with a truncated UTF-8 sequence (e.g., missing final byte of a 3-byte character). The parser miscalculates the length, causing a read beyond the allocated buffer, potentially leaking heap addresses or causing a denial of service.

Protection from this CVE:

Upgrade OpenCC to version 1.2.0 or later. If patching is delayed, implement strict input validation on all UTF-8 strings before passing them to the library. Use memory sanitizers in development environments to catch out-of-bounds reads.

Impact:

Process crashes (Denial of Service) and non-deterministic disclosure of adjacent memory contents. No remote code execution or arbitrary write capability has been identified.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top