bugBattle for Wesnoth - Bugs: bug #13031, Malicious map WML can hang Wesnoth...

Show feedback again

bug #13031: Malicious map WML can hang Wesnoth / exhaust system memory

Submitted by:  Daniel Franke <dfranke>
Submitted on:  Fri 20 Feb 2009 10:02:46 AM UTC  
Category: BugSeverity: 6 - Security
Priority: 5 - NormalItem Group:  None of the others
Status: FixedPrivacy: Public
Assigned to: Tomasz Śniatowski <ilor>Open/Closed: Closed
Release: 1.5.10+svnOperating System: Linux

Add a New Comment (Rich MarkupRich Markup):

You are not logged in

Please log in, so followups can be emailed to you.


Tue 17 Mar 2009 02:03:44 PM UTC, comment #3:

This issue got assigned CVE-2009-0878

Gerfried Fuchs <rhonda>
Project Member
Sat 21 Feb 2009 11:48:55 PM UTC, comment #2:

I guess nobody's happy about a hard limit but it's certainly better than nothing. Also it seems there's already a limit on something else related to map area (MAX_MAP_AREA in map_location.hpp), probably those should be merged.

Tomasz Śniatowski <ilor>
Project MemberIn charge of this item.
Sat 21 Feb 2009 11:37:19 PM UTC, SVN revision 32987:

fix bug #13031 by implementing a hard limit on map size. The cap is set to 200 tiles (so 200*200 is the max map area), and as of now is a hardcoded constant in terrain_translation.cpp.

(Browse SVN revision 32987)

Tomasz Śniatowski <ilor>
Project MemberIn charge of this item.
Fri 20 Feb 2009 10:02:46 AM UTC, original submission:

Although the Wesnoth map editor does not allow creating maps larger than 200x200, no size check is performed when loading an already-created map. A one-by-ten-million map occupies only a few tens of megabytes on disk, gzips down to a few tens of kilobytes (if it is all one terrain), but when opened in Wesnoth will hang it for several minutes and consume tens of gigabytes of memory. Particularly since networked multiplayer games maps are sent gzipped over the wire, this permits clients to DoS each other by hosting games with enormous maps, or by uploading such maps to the campaign server.

Daniel Franke <dfranke>
Project Member


(Note: upload size limit is set to 1024 kB, after insertion of the required escape characters.)

Attach File(s):

No files currently attached


Depends on the following items: None found

Items that depend on this one: None found


Carbon-Copy List
  • -unavailable- added by rhonda (Posted a comment)
  • -unavailable- added by esr (Updated the item)
  • -unavailable- added by ilor (Posted a comment)
  • -unavailable- added by dfranke (Submitted the item)

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.


    Error: not logged in



    Follow 4 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Wed 25 Feb 2009 06:14:08 PM UTCdfrankePrivacyPrivate=>Public
    Mon 23 Feb 2009 11:13:55 PM UTCesrOpen/ClosedOpen=>Closed
    Sat 21 Feb 2009 11:48:55 PM UTCilorStatusNone=>Fixed
      Assigned toNone=>ilor
    Show feedback again

    Back to the top

    Powered by Savane 3.1-cleanup