Software Engineering Institute

Many file scanners will decompress compressed file archives in memory so their contents can be scanned. However, some of these scanners do not check if there is enough memory available to decompress the file.

The Zip compression algorithm allows a maximum compression ratio of 1000:1, and with nested Zip archives, it is possible to create a small archive that would decompress to a size several thousands of times greater, and much greater than the memory available on most systems.

When a file scanner tries to decompress such an archive without ensuring that there is enough memory available, it may fail and crash. As file scanners are sometimes used to scan message attachments on mail servers, this problem could have additional negative effects on the services provided by mail servers.

Attackers can design a file which will crash a file scanner and possibly cause additional problems for mail servers that employ file scanners.

The CERT/CC is currently unaware of a practical solution to this problem.

None.