Details
Major Description
pack200.NewAttributeBands.getStreamUpToMatchingBracket() and unpack200.NewAttributeBands.getStreamUpToMatchingBracket can result in an infinite loop that finally leads to an out of memory error.
pack example:
import org.apache.commons.compress.harmony.pack200.AttributeDefinitionBands; import org.apache.commons.compress.harmony.pack200.CPUTF8; import org.apache.commons.compress.harmony.pack200.NewAttributeBands; public class ApacheCompress_1_21_OutOfMemory { public static void main(String[] args) throws Exception { CPUTF8 name = new CPUTF8(""); CPUTF8 layout = new CPUTF8("["); new NewAttributeBands(1, null, null, new AttributeDefinitionBands.AttributeDefinition(35, AttributeDefinitionBands.CONTEXT_CLASS, name, layout) ); } }
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space at java.base/java.util.Arrays.copyOf(Arrays.java:3745) at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172) at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748) at java.base/java.lang.StringBuffer.append(StringBuffer.java:429) at org.apache.commons.compress.harmony.pack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:822) at org.apache.commons.compress.harmony.pack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:180) at org.apache.commons.compress.harmony.pack200.NewAttributeBands.parseLayout(NewAttributeBands.java:95) at org.apache.commons.compress.harmony.pack200.NewAttributeBands.<init>(NewAttributeBands.java:53) at ApacheCompress_1_21_OutOfMemory.main(ApacheCompress_1_21_OutOfMemory.java:9)
unpack example on the malformed archive:
import org.apache.commons.compress.java.util.jar.Pack200; public class ApacheCompress_1_21_OutOfMemory_unpack_demo { public static void main(String[] args) throws Exception { String input = "/sample-1.0-SNAPSHOT-vulnerable-pack200.jar"; try ( InputStream inputStream = ApacheCompress_1_21_OutOfMemory_unpack_demo.class.getResourceAsStream(input); JarOutputStream out = new JarOutputStream(new OutputStream() { @Override public void write(int i) { } }); ) { Pack200.newUnpacker().unpack(inputStream, out); } } }
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space at java.base/java.util.Arrays.copyOf(Arrays.java:3745) at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172) at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:748) at java.base/java.lang.StringBuffer.append(StringBuffer.java:429) at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.getStreamUpToMatchingBracket(NewAttributeBands.java:883) at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.readNextAttributeElement(NewAttributeBands.java:201) at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.parseLayout(NewAttributeBands.java:122) at org.apache.commons.compress.harmony.unpack200.NewAttributeBands.<init>(NewAttributeBands.java:58) at org.apache.commons.compress.harmony.unpack200.AttrDefinitionBands.read(AttrDefinitionBands.java:85) at org.apache.commons.compress.harmony.unpack200.Segment.readSegment(Segment.java:353) at org.apache.commons.compress.harmony.unpack200.Segment.unpackRead(Segment.java:459) at org.apache.commons.compress.harmony.unpack200.Segment.unpack(Segment.java:436) at org.apache.commons.compress.harmony.unpack200.Archive.unpack(Archive.java:156) at org.apache.commons.compress.harmony.unpack200.Pack200UnpackerAdapter.unpack(Pack200UnpackerAdapter.java:49) at ApacheCompress_1_21_OutOfMemory_unpack_demo.main(ApacheCompress_1_21_OutOfMemory_unpack_demo.java:20)Process finished with exit code 1