security: CWE-409: prevent decompression bombs — VC-53739

[torresashjiancyber]

Summary

Enforce a 64 MiB decompression limit for OpenPGP Compressed Data Packets to prevent decompression bomb attacks (CWE-409).

Finding

CWE-409: Improper Handling of Highly Compressed Data
CVSS 4.0: 5.1 (AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

pgpdump processes OpenPGP Compressed Data Packets (tag 8) without enforcing a decompression size limit. An attacker can supply a small compressed input that expands to gigabytes of output (e.g., 1 KB → 1 GB compression ratio), causing the process to exhaust available memory (decompression bomb / zip bomb).

The vulnerability exists in both zlib (DEFLATE) and bzip2 decompression paths:

• inflate_gzip() in buffer.c (lines 222-261)
• inflate_bzip2() in buffer.c (lines 265-306)

Neither function tracked total decompressed bytes or enforced a maximum output size.

Remediation

Added decompression bomb protection to buffer.c:

1. Defined MAX_DECOMPRESS_SIZE constant set to 64 MiB (67,108,864 bytes)
2. Added total_decompressed counter to track cumulative decompressed output
3. Reset counter to zero at the start of Compressed_Data_Packet()
4. Added size checks in both inflate_gzip() and inflate_bzip2() after each decompression chunk
5. Exit with clear error message when limit is exceeded: "decompression bomb detected: output exceeds 64 MiB limit."

The fix is minimal and focused:

• Only modifies buffer.c (22 insertions, 3 deletions)
• No changes to command-line interface or API
• Fails safely when limit is exceeded

Verification

• Code compiles successfully (no build errors)
• Decompression limit properly enforced in both zlib and bzip2 code paths
• Error message clearly indicates decompression bomb detection
• Counter properly reset for each compressed packet

Files changed: buffer.c
Diff: 1 file changed, 22 insertions(+), 3 deletions(-)