OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch.
CFB directory entries form a red-black tree linked by LeftSiblingID and RightSiblingID fields. OpenMcdf's DirectoryTreeEnumerator and DirectoryTree.TryGetDirectoryEntry traverse this tree without tracking visited node IDs, so a crafted cycle (e.g. entry A's RightSiblingID points to entry B, and entry B's LeftSiblingID points back to entry A) causes traversal to loop indefinitely.
Two distinct code paths are affected:
Storage.EnumerateEntries() - DirectoryTreeEnumerator.MoveNext() never returns false; the same entry is yielded on every iteration and the caller's foreach never exits. Heap grows unboundedly as entries accumulate.Storage.OpenStream() - DirectoryTree.TryGetDirectoryEntry loops indefinitely inside DirectoryEntries.TryGetSibling during the name lookup.A crafted CFB file with a sibling cycle (see attached) triggers the issue with the following code:
using OpenMcdf;
using var ms = new MemoryStream(File.ReadAllBytes("crafted.cfb"));
using var root = RootStorage.Open(ms);
// Never returns - EnumerateEntries loops indefinitely
foreach (var entry in root.EnumerateEntries())
{
Console.WriteLine(entry.Name);
if (entry.Type == EntryType.Stream)
root.OpenStream(entry.Name); // also hangs depending on the cycle structure
}
A denial of service affecting any application that opens untrusted CFB files with OpenMcdf. A small crafted input carrying a valid CFB magic header (D0 CF 11 E0 A1 B1 1A E1) is sufficient to pass initial format validation and reach the vulnerable traversal code. No exception is...
3.1.3Exploitability
AV:LAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H6.2/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H