[
https://issues.apache.org/jira/browse/XERCESJ-1759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17761776#comment-17761776
]
Elliotte Rusty Harold edited comment on XERCESJ-1759 at 9/4/23 10:24 AM:
-------------------------------------------------------------------------
Maybe it can, but so far I don't think this has been proven. The issue with
stack depth is not memory usage. DOM's tend to be inefficient. That's not news.
In 2023 250 M heap size is small, and I'm not surprised you got an OOM.
Implementing stack depth limits might not help you at all. I wouldn't be
surprised if a similarly sized document with a shallow depth but the same
number of elements had a very similar memory profile.
Stack depth limits are designed not to prevent OOMs but to avoid certain
inefficient recursive algorithms that run out of stack, not heap.
was (Author: elharo):
Maybe it can, but so far I don't think the end has been proven. The issue with
stack depth is not memory usage. DOM's tend to be inefficient. That's not news.
In 2023 250 M heap size is small, and I'm not surprised you got an OOM.
Implementing stack depth limits might not help you at all. I wouldn't be
surprised if a similarly sized document with a shallow depth but the same
number of elements had a very similar memory profile.
Stack depth limits are designed not to prevent OOMs but to avoid certain
inefficient recursive algorithms that run out of stack, not heap.
> Parsing xml cannot limit the maximum element depth, resulting in excessive
> memory usage and DOS.
> ------------------------------------------------------------------------------------------------
>
> Key: XERCESJ-1759
> URL: https://issues.apache.org/jira/browse/XERCESJ-1759
> Project: Xerces2-J
> Issue Type: Bug
> Components: JAXP (javax.xml.parsers), JAXP (javax.xml.validation)
> Affects Versions: 2.12.2
> Reporter: shuailingliang
> Priority: Major
> Labels: security
>
> When parsing an xml file similar to the following by calling the
> javax.xml.parsers.DocumentBuilder#parse(java.io.File) method, the elements
> are nested layer by layer and there is no element closing tag. Since the
> depth of elements cannot be verified, the array in
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl#fElementStack will
> continue to increase the number of QName objects, resulting in excessive
> memory and DOS problems.
>
> <?xml version=”1.0” encoding=”UTF-8” standalone=”no” ?>
> <A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A
> a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A
> a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”>…
>
> After testing, we found that a file of 12.93M will cause an OOM exception in
> a service with a maximum heap memory of 250M.
>
> We checked the jdk information and found that we can limit the nesting depth
> of xml elements by setting the system property jdk.xml.maxElementDepth. We
> hope xerces can solve this problem.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
