[ https://issues.apache.org/jira/browse/COMPRESS-626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrii Hudz closed COMPRESS-626. -------------------------------- > OutOfMemoryError on malformed pack200 attributes > ------------------------------------------------ > > Key: COMPRESS-626 > URL: https://issues.apache.org/jira/browse/COMPRESS-626 > Project: Commons Compress > Issue Type: Bug > Components: Archivers > Affects Versions: 1.21 > Environment: ubuntu18 > java-11-openjdk-amd64 > Reporter: Andrii Hudz > Priority: Major > Fix For: 1.22 > > Attachments: sample-1.0-SNAPSHOT-vulnerable-pack200.jar > > > pack200.NewAttributeBands.getStreamUpToMatchingBracket() and > unpack200.NewAttributeBands.getStreamUpToMatchingBracket can result in an > infinite loop that finally leads to an out of memory error. > pack example: > {code:java} > import org.apache.commons.compress.harmony.pack200.AttributeDefinitionBands; > import org.apache.commons.compress.harmony.pack200.CPUTF8; > import org.apache.commons.compress.harmony.pack200.NewAttributeBands; > public class ApacheCompress_1_21_OutOfMemory { > public static void main(String[] args) throws Exception { > CPUTF8 name = new CPUTF8(""); > CPUTF8 layout = new CPUTF8("["); > new NewAttributeBands(1, null, null, > new AttributeDefinitionBands.AttributeDefinition(35, > AttributeDefinitionBands.CONTEXT_CLASS, name, layout) > ); > } > }{code} > {code:java} > Exception in thread "main" java.lang.OutOfMemoryError: Java heap space at > java.base/java.util.Arrays.copyOf(Arrays.java:3745) at > java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172) > at > java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748) > at java.base/java.lang.StringBuffer.append(StringBuffer.java:429) at > org.apache.commons.compress.harmony.pack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:822) > at > org.apache.commons.compress.harmony.pack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:180) > at > org.apache.commons.compress.harmony.pack200.NewAttributeBands.parseLayout(NewAttributeBands.java:95) > at > org.apache.commons.compress.harmony.pack200.NewAttributeBands.<init>(NewAttributeBands.java:53) > at > ApacheCompress_1_21_OutOfMemory.main(ApacheCompress_1_21_OutOfMemory.java:9) > {code} > > unpack example on the malformed archive: > {code:java} > import org.apache.commons.compress.java.util.jar.Pack200; > public class ApacheCompress_1_21_OutOfMemory_unpack_demo { > public static void main(String[] args) throws Exception { > String input = "/sample-1.0-SNAPSHOT-vulnerable-pack200.jar"; > try ( > InputStream inputStream = > ApacheCompress_1_21_OutOfMemory_unpack_demo.class.getResourceAsStream(input); > JarOutputStream out = new JarOutputStream(new OutputStream() { > @Override > public void write(int i) { > } > }); > ) { > Pack200.newUnpacker().unpack(inputStream, out); > } > } > }{code} > {code:java} > Exception in thread "main" java.lang.OutOfMemoryError: Java heap space at > java.base/java.util.Arrays.copyOf(Arrays.java:3745) at > java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172) > at > java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748) > at java.base/java.lang.StringBuffer.append(StringBuffer.java:429) at > org.apache.commons.compress.harmony.unpack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:883) > at > org.apache.commons.compress.harmony.unpack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:201) > at > org.apache.commons.compress.harmony.unpack200.NewAttributeBands.parseLayout(NewAttributeBands.java:122) > at > org.apache.commons.compress.harmony.unpack200.NewAttributeBands.<init>(NewAttributeBands.java:58) > at > org.apache.commons.compress.harmony.unpack200.AttrDefinitionBands.read(AttrDefinitionBands.java:85) > at > org.apache.commons.compress.harmony.unpack200.Segment.readSegment(Segment.java:353) > at > org.apache.commons.compress.harmony.unpack200.Segment.unpackRead(Segment.java:459) > at > org.apache.commons.compress.harmony.unpack200.Segment.unpack(Segment.java:436) > at > org.apache.commons.compress.harmony.unpack200.Archive.unpack(Archive.java:156) > at > org.apache.commons.compress.harmony.unpack200.Pack200UnpackerAdapter.unpack(Pack200UnpackerAdapter.java:49) > at > ApacheCompress_1_21_OutOfMemory_unpack_demo.main(ApacheCompress_1_21_OutOfMemory_unpack_demo.java:20)Process > finished with exit code 1 > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)