prevent decompression DoS issues #3257

totaam · 2021-09-08T06:42:52Z

Both the lz4 and zlib compressors now prevent decompressing packets that would consume too much memory: 83c72ba.
The default value is 256MB, which is enough for 8K in 32-bit BGRA format: 768043204 is ~128MB.

Unfortunately:

lzo doesn't have the ability to limit its output size - perhaps it should be retired? (lz4 does everything better)
brotli doesn't expose this ability through the python wrapper? https://github.com/google/brotli/blob/master/python/brotli.py

The text was updated successfully, but these errors were encountered:

totaam · 2021-09-08T06:56:26Z

Also removed lzo from:

totaam · 2021-09-08T08:45:53Z

As for brotli, those concerned about memory bombs can disable it until we implement #3258.

totaam added a commit that referenced this issue Sep 8, 2021

#3257 remove lzo compression

f731208

totaam mentioned this issue Sep 8, 2021

brotli cython decompressor #3258

Closed

totaam closed this as completed Sep 8, 2021

totaam added a commit that referenced this issue Sep 8, 2021

#3257 missed from f731208

98bd331

totaam mentioned this issue Sep 8, 2021

Clipboard cannot transfer Client>Server big amounts of text #3260

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

prevent decompression DoS issues #3257

prevent decompression DoS issues #3257

totaam commented Sep 8, 2021

totaam commented Sep 8, 2021

totaam commented Sep 8, 2021

prevent decompression DoS issues #3257

prevent decompression DoS issues #3257

Comments

totaam commented Sep 8, 2021

totaam commented Sep 8, 2021

totaam commented Sep 8, 2021