Uploaded image for project: 'Commons Compress'
  1. Commons Compress
  2. COMPRESS-599

Memory usage in Pack200Compressor cannot be limited

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.21
    • None
    • Compressors

    Description

      While fuzzing commons-compress, I found the following case where a specific input leads to unbounded memory allocation in the Pack200Compressor.

      It seems there is currently no way to limit memory usage of this compressor and thus this cannot be avoided if you process untrusted data via commons-compress.

      With the following code-snippet:

      public class Crash_0d5a0130ab3cd32f299b2a27aa76f24a0bbabae8 {
    static final String base64Bytes = "yv7QDQeW0ABgfwDuwOn8QwIGAAIBAQAAd9zc3Nzc3Nzc3Nzc3Nzc3NxuZXR3YXJl3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3GluZG93cwAAAwMUAxUDZmVzdA0K";

    public static void main(String[] args) throws IOException {
        byte[] input = java.util.Base64.getDecoder().decode(base64Bytes);
      new Pack200CompressorInputStream(new ByteArrayInputStream(input), Pack200Strategy.TEMP_FILE);
    }
}

      The following exception happens:

      Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    at org.apache.commons.compress.harmony.pack200.Codec.decodeInts(Codec.java:169)
    at org.apache.commons.compress.harmony.pack200.BHSDCodec.decodeInts(BHSDCodec.java:256)
    at org.apache.commons.compress.harmony.unpack200.BandSet.decodeBandInt(BandSet.java:100)
    at org.apache.commons.compress.harmony.unpack200.CpBands.parseCpUtf8(CpBands.java:366)
    at org.apache.commons.compress.harmony.unpack200.CpBands.read(CpBands.java:111)
    at org.apache.commons.compress.harmony.unpack200.Segment.readSegment(Segment.java:351)
    at org.apache.commons.compress.harmony.unpack200.Segment.unpackRead(Segment.java:459)
    at org.apache.commons.compress.harmony.unpack200.Segment.unpack(Segment.java:436)
    at org.apache.commons.compress.harmony.unpack200.Archive.unpack(Archive.java:155)
    at org.apache.commons.compress.harmony.unpack200.Pack200UnpackerAdapter.unpack(Pack200UnpackerAdapter.java:49)
    at org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream.<init>(Pack200CompressorInputStream.java:183)
    at org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream.<init>(Pack200CompressorInputStream.java:77)
    at Crash_0d5a0130ab3cd32f299b2a27aa76f24a0bbabae8.main(Crash_0d5a0130ab3cd32f299b2a27aa76f24a0bbabae8.java:13)

      Attachments

        Activity

          People

            Unassigned Unassigned
            dominik.stadler@gmx.at Dominik Stadler
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: