This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: lzma and bz2 decompress methods lack max_size parameter
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.3, Python 3.4, Python 3.5
Status: closed Resolution: duplicate
Dependencies: Superseder: bz2, lzma: add option to limit output size
View: 15955
Assigned To: Nosy List: nikratio
Priority: normal Keywords:

Created on 2013-04-21 22:05 by nikratio, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (1)
msg187532 - (view) Author: Nikolaus Rath (nikratio) * Date: 2013-04-21 22:05
The zlib Decompress.decompress has a max_length parameter that limits the size of the returned uncompressed data.

The lzma and bz2 decompress methods do not have such a parameter.

Therefore, it is not possible to decompress untrusted lzma or bz2 data without becoming susceptible to a DoS attack, as the attacker can force allocation of gigantic buffers by sending just a tiny amount of compressed data:

$ dd if=/dev/zero bs=128k count=10k | bzip2 -9 > nasty.bz2
10240+0 records in
10240+0 records out
1342177280 bytes (1.3 GB) copied, 11.0892 s, 121 MB/s
$ dir nasty.bz2 
-rw-rw-r-- 1 nikratio nikratio 977 Apr 21 14:58 nasty.bz2

It would be great if the lzma and bz2 decompressor methods could also get a max_length parameters to make this situation less threatening.
Date User Action Args
2022-04-11 14:57:44adminsetgithub: 62013
2013-04-24 10:58:10ezio.melottisetstatus: open -> closed
stage: resolved
2013-04-21 22:09:34serhiy.storchakasetsuperseder: bz2, lzma: add option to limit output size
resolution: duplicate
2013-04-21 22:05:19nikratiosettitle: lzma and bz2 decompress methods lack max_size attribute -> lzma and bz2 decompress methods lack max_size parameter
2013-04-21 22:05:07nikratiocreate