GHSA-7fqq-q52p-2jjg: OpenCC has an Out-of-bounds read when processing truncated UTF-8 input

March 29, 2026

OpenCC versions before 1.2.0 contain two CWE-125: Out-of-bounds Read issues caused by length validation failures in UTF-8 processing. When handling malformed or truncated UTF-8 input, OpenCC trusted derived length values without enforcing the invariant that processed length must not exceed the remaining input buffer. This could result in out-of-bounds reads during segmentation or conversion.

References

github.com/BYVoid/OpenCC
github.com/BYVoid/OpenCC/issues/997
github.com/BYVoid/OpenCC/pull/1005
github.com/BYVoid/OpenCC/releases/tag/ver.1.2.0
github.com/BYVoid/OpenCC/security/advisories/GHSA-7fqq-q52p-2jjg
github.com/advisories/GHSA-7fqq-q52p-2jjg

Code Behaviors & Features

Detect and mitigate GHSA-7fqq-q52p-2jjg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →