You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Gary D. Gregory (Jira)" <ji...@apache.org> on 2022/09/30 12:42:00 UTC

[jira] [Commented] (COMPRESS-626) OutOfMemoryError on malformed pack200 attributes

    [ https://issues.apache.org/jira/browse/COMPRESS-626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611563#comment-17611563 ] 

Gary D. Gregory commented on COMPRESS-626:
------------------------------------------

I added {{org.apache.commons.compress.harmony.unpack200.tests.Compress626Test}} to git master as a disabled test for now.

> OutOfMemoryError on malformed pack200 attributes
> ------------------------------------------------
>
>                 Key: COMPRESS-626
>                 URL: https://issues.apache.org/jira/browse/COMPRESS-626
>             Project: Commons Compress
>          Issue Type: Bug
>          Components: Archivers
>    Affects Versions: 1.21
>         Environment: ubuntu18
> java-11-openjdk-amd64
>            Reporter: Andrii Hudz
>            Priority: Major
>         Attachments: sample-1.0-SNAPSHOT-vulnerable-pack200.jar
>
>
> pack200.NewAttributeBands.getStreamUpToMatchingBracket() and unpack200.NewAttributeBands.getStreamUpToMatchingBracket can result in an infinite loop that finally leads to an out of memory error.
> pack example:
> {code:java}
> import org.apache.commons.compress.harmony.pack200.AttributeDefinitionBands;
> import org.apache.commons.compress.harmony.pack200.CPUTF8;
> import org.apache.commons.compress.harmony.pack200.NewAttributeBands;
> public class ApacheCompress_1_21_OutOfMemory {
>     public static void main(String[] args) throws Exception {
>         CPUTF8 name = new CPUTF8("");
>         CPUTF8 layout = new CPUTF8("[");
>         new NewAttributeBands(1, null, null,
>                 new AttributeDefinitionBands.AttributeDefinition(35, AttributeDefinitionBands.CONTEXT_CLASS, name, layout)
>         );
>     }
> }{code}
> {code:java}
> Exception in thread "main" java.lang.OutOfMemoryError: Java heap space     at java.base/java.util.Arrays.copyOf(Arrays.java:3745)     at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172)     at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748)     at java.base/java.lang.StringBuffer.append(StringBuffer.java:429)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:822)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:180)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.parseLayout(NewAttributeBands.java:95)     at org.apache.commons.compress.harmony.pack200.NewAttributeBands.<init>(NewAttributeBands.java:53)     at ApacheCompress_1_21_OutOfMemory.main(ApacheCompress_1_21_OutOfMemory.java:9)
> {code}
>  
> unpack example on the malformed archive:
> {code:java}
> import org.apache.commons.compress.java.util.jar.Pack200;
> public class ApacheCompress_1_21_OutOfMemory_unpack_demo {
>     public static void main(String[] args) throws Exception {
>         String input = "/sample-1.0-SNAPSHOT-vulnerable-pack200.jar";
>         try (
>                 InputStream inputStream = ApacheCompress_1_21_OutOfMemory_unpack_demo.class.getResourceAsStream(input);
>                 JarOutputStream out = new JarOutputStream(new OutputStream() {
>                     @Override
>                     public void write(int i) {
>                     }
>                 });
>         ) {
>             Pack200.newUnpacker().unpack(inputStream, out);
>         }
>     }
> }{code}
> {code:java}
> Exception in thread "main" java.lang.OutOfMemoryError: Java heap space     at java.base/java.util.Arrays.copyOf(Arrays.java:3745)     at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172)     at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748)     at java.base/java.lang.StringBuffer.append(StringBuffer.java:429)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:883)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:201)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.parseLayout(NewAttributeBands.java:122)     at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.<init>(NewAttributeBands.java:58)     at org.apache.commons.compress.harmony.unpack200.AttrDefinitionBands.read(AttrDefinitionBands.java:85)     at org.apache.commons.compress.harmony.unpack200.Segment.readSegment(Segment.java:353)     at org.apache.commons.compress.harmony.unpack200.Segment.unpackRead(Segment.java:459)     at org.apache.commons.compress.harmony.unpack200.Segment.unpack(Segment.java:436)     at org.apache.commons.compress.harmony.unpack200.Archive.unpack(Archive.java:156)     at org.apache.commons.compress.harmony.unpack200.Pack200UnpackerAdapter.unpack(Pack200UnpackerAdapter.java:49)     at ApacheCompress_1_21_OutOfMemory_unpack_demo.main(ApacheCompress_1_21_OutOfMemory_unpack_demo.java:20)Process finished with exit code 1
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)