Those files are designed to exhaust the system resources *before* you can even d...

crazygringo · 2025-04-29T22:19:56 1745965196

Not really. It really is that simple. It's just dictionary decompression, and it's just halting it at some limit.

It's just nobody usually implements a limit during decompression because people aren't usually giving you zip bombs. And sometimes you really do want to decompress ginormous files, so limits aren't built in by default.

Your given language might not make it easy to do, but you should pretty much always be able to hack something together using file streams. It's just an extra step is all.

gchamonlive · 2025-04-30T11:43:20 1746013400

I honestly thought it was harder. It's still a burden on the developer to use the tools in the intended way so that the application isn't vulnerable, so it's something to keep in mind when implementing functionality that requires unpacking user provided compressed archives.

Dylan16807 · 2025-04-30T18:36:42 1746038202

> it's intuitively not strange for me to have a a zip that is carefully crafted so that memory and CPU goes out the window before any check can be done

It's intuitively extremely strange to me!

Even ignoring how zips work: Memory needs to be allocated in chunks. So before allocating a chunk, you can check if the new memory use will be over a threshold. CPU is used by the program instructions you control, so you can put checks at significant points in your program to see if it hit a threshold. Or you can have a thread you kill after a certain amount of time.

But the way zips do work makes it a lot simpler: Fundamentally it's "output X raw bytes, then repeat Y bytes from location Z" over and over. Abort if those numbers get too big.