Ticket Navigation

Ticket #116 (new defect)

Opened 2 years ago

Last modified 1 year ago

Possible DoS with bz2 files.

Reported by:	jm	Assigned to:	haypo
Priority:	low	Milestone:
Component:	parser	Keywords:	upstream
Cc:

Description

Contrary to zlib module, the bz2 API doesn't provide anything to read a certain amount of decompressed data. And the bz2 module may not be the only decompressor that is so badly written.

The size of attachment:ticket:116:1GB.bz2 is only 785 bytes but it contains 1GB of data (only 0x00). As for efficiency reasons, Hachoir gives the decompressor chunks of a few kB, python must handle 1GB of data at a certain moment, and unless you have enough memory, you'll get, for example, a MemoryError?, an OOM, etc.

I tested the bz2 module by giving it 1 byte at a time and it returns chunks or 45899235 bytes...

source of the bz2 module: http://svn.python.org/view/python/trunk/Lib/encodings/bz2_codec.py

Attachments

1GB.bz2 (0.8 kB) - added by jm on 01/25/07 17:35:40.: 1GB of /dev/zero

Change History

01/25/07 17:35:40 changed by jm

attachment 1GB.bz2 added.

1GB of /dev/zero

01/25/07 17:51:29 changed by jm

keywords set to upstream.

It's clearly a bug in python because the bzip2 command use little memory to decompress 1GB.bz2, so a workaround would be to launch the bzip2 command in a subprocess. Note that it would provide to support formats that don't have any binding/module.

09/03/07 03:52:15 changed by haypo

Hachoir may be affected by many other Denial Of Service threads. We may use my limitedTime() and/or limitedMemory() functions from hachoir_core memory and timeout modules.

Add/Change #116 (Possible DoS with bz2 files.)

Your email or username:

Comment (you may use WikiFormatting here):

Download in other formats:

Comma-delimited Text
Tab-delimited Text
RSS Feed