Headline
GHSA-pqr6-cmr2-h8hf: snappy-java's Integer Overflow vulnerability in shuffle leads to DoS
Summary
Due to unchecked multiplications, an integer overflow may occur, causing a fatal error.
Impact
Denial of Service
Description
The function shuffle(int[] input) in the file BitShuffle.java receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.
public static byte[] shuffle(int[] input) throws IOException {
byte[] output = new byte[input.length * 4];
int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0);
assert(numProcessed == input.length * 4);
return output;
}
Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”. The same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.
Steps To Reproduce
Compile and run the following code:
package org.example;
import org.xerial.snappy.BitShuffle;
import java.io.*;
public class Main {
public static void main(String[] args) throws IOException {
int[] original = new int[0x40000000];
byte[] shuffled = BitShuffle.shuffle(original);
System.out.println(shuffled[0]);
}
}
The program will crash, showing the following error (or similar):
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
at org.example.Main.main(Main.java:12)
Process finished with exit code 1
Alternatively - compile and run the following code:
package org.example;
import org.xerial.snappy.BitShuffle;
import java.io.*;
public class Main {
public static void main(String[] args) throws IOException {
int[] original = new int[0x20000000];
byte[] shuffled = BitShuffle.shuffle(original);
}
}
The program will crash with the following error (or similar):
Exception in thread "main" java.lang.NegativeArraySizeException: -2147483648
at org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)
at org.example.Main.main(Main.java:11)
Summary
Due to unchecked multiplications, an integer overflow may occur, causing a fatal error.
Impact
Denial of Service
Description
The function shuffle(int[] input) in the file BitShuffle.java receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.
public static byte[] shuffle(int[] input) throws IOException { byte[] output = new byte[input.length * 4]; int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0); assert(numProcessed == input.length * 4); return output; }
Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”.
The same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.
Steps To Reproduce
Compile and run the following code:
package org.example; import org.xerial.snappy.BitShuffle;
import java.io.*;
public class Main {
public static void main(String\[\] args) throws IOException {
int\[\] original = new int\[0x40000000\];
byte\[\] shuffled = BitShuffle.shuffle(original);
System.out.println(shuffled\[0\]);
}
}
The program will crash, showing the following error (or similar):
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
at org.example.Main.main(Main.java:12)
Process finished with exit code 1
Alternatively - compile and run the following code:
package org.example; import org.xerial.snappy.BitShuffle;
import java.io.*;
public class Main {
public static void main(String\[\] args) throws IOException {
int\[\] original = new int\[0x20000000\];
byte\[\] shuffled = BitShuffle.shuffle(original);
}
}
The program will crash with the following error (or similar):
Exception in thread "main" java.lang.NegativeArraySizeException: -2147483648
at org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)
at org.example.Main.main(Main.java:11)
References
- GHSA-pqr6-cmr2-h8hf
- xerial/snappy-java@820e2e0
- https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107
- https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java
Related news
IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 254138
Red Hat Security Advisory 2023-5165-01 - Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Issues addressed include code execution, denial of service, deserialization, and integer overflow vulnerabilities.
Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service. * CVE-2021-37137: A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a speciall...
snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing a fatal error. The function `shuffle(int[] input)` in the file `BitShuffle.java` receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a `java.lang.NegativeArraySizeException` exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as `java.lang.ArrayIndexOutOfBoundsException`. The same issue exists also when using the `shuffle` functions that receive a double,...