ghsa-pqr6-cmr2-h8hf
Vulnerability from github
Summary
Due to unchecked multiplications, an integer overflow may occur, causing a fatal error.
Impact
Denial of Service
Description
The function shuffle(int[] input) in the file BitShuffle.java receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.
```java public static byte[] shuffle(int[] input) throws IOException { byte[] output = new byte[input.length * 4]; int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0); assert(numProcessed == input.length * 4); return output; }
```
Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”. The same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.
Steps To Reproduce
Compile and run the following code:
```java package org.example; import org.xerial.snappy.BitShuffle;
import java.io.*;
public class Main {
public static void main(String[] args) throws IOException {
int[] original = new int[0x40000000];
byte[] shuffled = BitShuffle.shuffle(original);
System.out.println(shuffled[0]);
}
}
``` The program will crash, showing the following error (or similar):
``` Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0 at org.example.Main.main(Main.java:12)
Process finished with exit code 1
```
Alternatively - compile and run the following code:
```java package org.example; import org.xerial.snappy.BitShuffle;
import java.io.*;
public class Main {
public static void main(String[] args) throws IOException {
int[] original = new int[0x20000000];
byte[] shuffled = BitShuffle.shuffle(original);
}
}
``` The program will crash with the following error (or similar):
Exception in thread "main" java.lang.NegativeArraySizeException: -2147483648
at org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)
at org.example.Main.main(Main.java:11)
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 1.1.10.0" }, "package": { "ecosystem": "Maven", "name": "org.xerial.snappy:snappy-java" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.1.10.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-34453" ], "database_specific": { "cwe_ids": [ "CWE-190" ], "github_reviewed": true, "github_reviewed_at": "2023-06-15T16:13:20Z", "nvd_published_at": "2023-06-15T17:15:09Z", "severity": "MODERATE" }, "details": "## Summary\nDue to unchecked multiplications, an integer overflow may occur, causing a fatal error.\n## Impact\nDenial of Service\n## Description\nThe function [shuffle(int[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107) in the file [BitShuffle.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java) receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.\n\n```java\npublic static byte[] shuffle(int[] input) throws IOException {\n byte[] output = new byte[input.length * 4];\n int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0);\n assert(numProcessed == input.length * 4);\n return output;\n }\n\n```\n\nSince the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a \u201cjava.lang.NegativeArraySizeException\u201d exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as \u201cjava.lang.ArrayIndexOutOfBoundsException\u201d.\nThe same issue exists also when using the \u201cshuffle\u201d functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n int[] original = new int[0x40000000];\n byte[] shuffled = BitShuffle.shuffle(original);\n System.out.println(shuffled[0]);\n }\n}\n\n```\nThe program will crash, showing the following error (or similar):\n\n```\nException in thread \"main\" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0\n\tat org.example.Main.main(Main.java:12)\n\nProcess finished with exit code 1\n\n```\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n int[] original = new int[0x20000000];\n byte[] shuffled = BitShuffle.shuffle(original);\n }\n}\n\n```\nThe program will crash with the following error (or similar):\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -2147483648\n\tat org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)\n\tat org.example.Main.main(Main.java:11)\n```", "id": "GHSA-pqr6-cmr2-h8hf", "modified": "2023-06-27T21:57:08Z", "published": "2023-06-15T16:13:20Z", "references": [ { "type": "WEB", "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34453" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/commit/820e2e074c58748b41dbd547f4edba9e108ad905" }, { "type": "PACKAGE", "url": "https://github.com/xerial/snappy-java" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "snappy-java\u0027s Integer Overflow vulnerability in shuffle leads to DoS" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.