Snappy-java is a fast and efficient compression and decompression library for Java applications. Due to unchecked multiplications, versions prior to 1.1.10.1 may suffer an integer overflow causing a fatal error. This write-up provides an overview of the issue and the relevant code snippets, links to original references, and details of the exploit.
Code Snippet
The core issue lies in the compress(char[] input) function of the Snappy.java file. Here's the code snippet of the flawed function:
public static int compress(char[] input, int inputOffset, int length, byte[] output, int outputOffset) {
int outputLength = rawCompress(input, inputOffset, length * 2, output, outputOffset);
return outputLength;
}
The function multiplies the input length by two before passing it to the rawCompress function. Since the length value is unchecked, it may cause an integer overflow, leading to negative values.
Original References
1. Snappy-java repository: https://github.com/xerial/snappy-java
2. Vulnerable version commit: https://github.com/xerial/snappy-java/commit/02dadf9e5df8e87b9bf314beafadf32a555538c2
3. Fixed version commit: https://github.com/xerial/snappy-java/commit/eee4c9c85a1d623a94022e641ec324642d93e163
Exploit Details
When the integer overflow occurs, the rawCompress function calls the natively compiled maxCompressedLength function with the negative values. The maxCompressedLength function treats the received values as unsigned integers, resulting in a valid value that gets passed onto the Java engine.
This creates two potential scenarios
1. If the resulting value is negative, Java will raise a java.lang.NegativeArraySizeException exception when trying to allocate buf.
2. If the value is positive, the allocation of buf succeeds but may have a smaller size than required for the compression, causing a fatal Access Violation error.
The same problem exists in the compress functions for double, float, int, long, and short input arrays. Each uses a different multiplier, leading to similar integer overflow issues.
The vulnerability most likely won't cause any problems when using byte arrays since allocating a byte array with a negative size or x80000000 is not possible.
Solution and Patch
The issue is resolved in version 1.1.10.1 of snappy-java. It is highly recommended to update your snappy-java library to the patched version or newer to avoid integer overflow issues and ensure optimal performance.
Timeline
Published on: 06/15/2023 17:15:00 UTC
Last modified on: 06/27/2023 16:04:00 UTC