Andrii Hudz created COMPRESS-626:
------------------------------------
Summary: OutOfMemoryError on malformed pack200 attributes
Key: COMPRESS-626
URL: https://issues.apache.org/jira/browse/COMPRESS-626
Project: Commons Compress
Issue Type: Bug
Components: Archivers
Affects Versions: 1.21
Environment: ubuntu18
java-11-openjdk-amd64
Reporter: Andrii Hudz
Attachments: sample-1.0-SNAPSHOT-vulnerable-pack200.jar
pack200.NewAttributeBands.getStreamUpToMatchingBracket() and
unpack200.NewAttributeBands.getStreamUpToMatchingBracket can result in an
infinite loop that finally leads to an out of memory error.
pack example:
{code:java}
import org.apache.commons.compress.harmony.pack200.AttributeDefinitionBands;
import org.apache.commons.compress.harmony.pack200.CPUTF8;
import org.apache.commons.compress.harmony.pack200.NewAttributeBands;
public class ApacheCompress_1_21_OutOfMemory {
public static void main(String[] args) throws Exception {
CPUTF8 name = new CPUTF8("");
CPUTF8 layout = new CPUTF8("[");
new NewAttributeBands(1, null, null,
new AttributeDefinitionBands.AttributeDefinition(35,
AttributeDefinitionBands.CONTEXT_CLASS, name, layout)
);
}
}{code}
{code:java}
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space at
java.base/java.util.Arrays.copyOf(Arrays.java:3745) at
java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172)
at
java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748)
at java.base/java.lang.StringBuffer.append(StringBuffer.java:429) at
org.apache.commons.compress.harmony.pack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:822)
at
org.apache.commons.compress.harmony.pack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:180)
at
org.apache.commons.compress.harmony.pack200.NewAttributeBands.parseLayout(NewAttributeBands.java:95)
at
org.apache.commons.compress.harmony.pack200.NewAttributeBands.<init>(NewAttributeBands.java:53)
at
ApacheCompress_1_21_OutOfMemory.main(ApacheCompress_1_21_OutOfMemory.java:9)
{code}
unpack example on the malformed archive:
{code:java}
import org.apache.commons.compress.java.util.jar.Pack200;
public class ApacheCompress_1_21_OutOfMemory_unpack_demo {
public static void main(String[] args) throws Exception {
String input = "/sample-1.0-SNAPSHOT-vulnerable-pack200.jar";
try (
InputStream inputStream =
ApacheCompress_1_21_OutOfMemory_unpack_demo.class.getResourceAsStream(input);
JarOutputStream out = new JarOutputStream(new OutputStream() {
@Override
public void write(int i) {
}
});
) {
Pack200.newUnpacker().unpack(inputStream, out);
}
}
}{code}
{code:java}
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space at
java.base/java.util.Arrays.copyOf(Arrays.java:3745) at
java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172)
at
java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748)
at java.base/java.lang.StringBuffer.append(StringBuffer.java:429) at
org.apache.commons.compress.harmony.unpack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:883)
at
org.apache.commons.compress.harmony.unpack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:201)
at
org.apache.commons.compress.harmony.unpack200.NewAttributeBands.parseLayout(NewAttributeBands.java:122)
at
org.apache.commons.compress.harmony.unpack200.NewAttributeBands.<init>(NewAttributeBands.java:58)
at
org.apache.commons.compress.harmony.unpack200.AttrDefinitionBands.read(AttrDefinitionBands.java:85)
at
org.apache.commons.compress.harmony.unpack200.Segment.readSegment(Segment.java:353)
at
org.apache.commons.compress.harmony.unpack200.Segment.unpackRead(Segment.java:459)
at
org.apache.commons.compress.harmony.unpack200.Segment.unpack(Segment.java:436)
at
org.apache.commons.compress.harmony.unpack200.Archive.unpack(Archive.java:156)
at
org.apache.commons.compress.harmony.unpack200.Pack200UnpackerAdapter.unpack(Pack200UnpackerAdapter.java:49)
at
ApacheCompress_1_21_OutOfMemory_unpack_demo.main(ApacheCompress_1_21_OutOfMemory_unpack_demo.java:20)Process
finished with exit code 1
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
