Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-2446

Tainted Zip file can provoke OOM errors

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.16
    • Fix Version/s: 1.19, 2.0.0
    • Component/s: None
    • Labels:
      None

      Description

      Hi,

      using Tika 1.16 with embedded POI 3.17-beta1 we experienced an OutOfMemory error on a Zip file. The suspicious code is in the constructor of FakeZipEntry in line 125. Here a ByteArrayOutputStream of up to 2 GiB in size is opened which will most probably lead to an OutOfMemory. The entry size in the zip file can be easily faked by an attacker.

      The code path to FakeZipEntry will be used only if the native java.util.zip.ZipFile implementation already failed to open the (possibly corrupted) Zip. Possibly a more fine grained error analysis could be done in ZipPackage.

      I have attached a tweaked zip file that will provoke this error.

      public FakeZipEntry(ZipEntry entry, InputStream inp) throws IOException {
      			super(entry.getName());
      			
      			// Grab the de-compressed contents for later
                  ByteArrayOutputStream baos;
      
                  long entrySize = entry.getSize();
      
                  if (entrySize !=-1) {
                      if (entrySize>=Integer.MAX_VALUE) {
                          throw new IOException("ZIP entry size is too large");
                      }
      
                      baos = new ByteArrayOutputStream((int) entrySize);
                  } else {
          			baos = new ByteArrayOutputStream();
                  }
      

      Kinds,

      Thorsten

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              thorsten.schaefer Thorsten Schäfer

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment