Skip to content

harden: ZstdException on oversized declared size + decompression-bomb tests#35

Merged
dfa1 merged 2 commits into
mainfrom
feat/decompress-bomb-guard
Jun 27, 2026
Merged

harden: ZstdException on oversized declared size + decompression-bomb tests#35
dfa1 merged 2 commits into
mainfrom
feat/decompress-bomb-guard

Conversation

@dfa1

@dfa1 dfa1 commented Jun 27, 2026

Copy link
Copy Markdown
Owner

What

Hardening for untrusted compressed input, from the security review.

(c) Oversized declared size → ZstdException

Zstd.decompress(byte[]) sizes its output from the frame's attacker-controlled declared content size. A header claiming > Integer.MAX_VALUE bytes previously leaked a raw ArithmeticException from Math.toIntExact. It now throws a ZstdException naming the limit and pointing to decompress(byte[], int).

(a) Decompression-bomb tests

New ZstdTest.UntrustedInput pins the behaviour:

  • decompress(byte[], maxSize) refuses a tiny frame that expands to 8 MiB (the safe path).
  • decompress(byte[]) trusts the declared size and expands fully — documenting that untrusted callers must pass a bound.
  • a hand-built frame header declaring > 2 GiB throws ZstdException, not ArithmeticException.

Not in scope (deferred)

(b) the Javadoc security note steering untrusted callers to maxSize — say the word and I'll add it.

Verify

235 tests green, checkstyle + javadoc clean.

🤖 Generated with Claude Code

dfa1 and others added 2 commits June 27, 2026 18:27
…ling

Zstd.decompress(byte[]) reads the (untrusted) content size from the frame header
to size its output. A header declaring more than Integer.MAX_VALUE bytes
previously let a raw ArithmeticException escape from Math.toIntExact; it now
fails with a ZstdException naming the limit and pointing to decompress(byte[],
int) for bounded, untrusted-safe decoding.

Adds ZstdTest.UntrustedInput documenting decompression-bomb behaviour:
- decompress(byte[], maxSize) refuses a tiny frame that expands to 8 MiB,
- decompress(byte[]) trusts the declared size and expands fully (so untrusted
  callers must pass a bound),
- a hand-built frame header declaring > 2 GiB throws ZstdException, not
  ArithmeticException.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds a Security note to Zstd.decompress(byte[]) that it trusts the frame's
declared content size and can be a decompression-bomb vector, steering untrusted
callers to decompress(byte[], int); and notes on the bounded overload that it is
the safe entry point for untrusted input.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dfa1 dfa1 merged commit 33eb302 into main Jun 27, 2026
1 check passed
@dfa1 dfa1 deleted the feat/decompress-bomb-guard branch June 27, 2026 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant