henryrneh opened a new issue, #12503: URL: https://github.com/apache/lucene/issues/12503
### Description Dear Apache Lucene maintainers, The OutOfMemory is triggered in this [line](https://github.com/apache/lucene/blob/main/lucene/core/src/java/org/apache/lucene/util/ArrayUtil.java#L400) by parse() function from QueryParser when a crafted untrusted input is processed by it. We have reviewed the finding and it might be security-related due to the potential of a denial of service. We would appreciate it if you could take a look at the finding. Do you see a risk that this might be exploited by untrusted input? Part of the stack trace: == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Out of memory (use '-Xmx1710m' to reproduce) Caused by: java.lang.OutOfMemoryError: Java heap space at org.apache.lucene.util.ArrayUtil.growExact(ArrayUtil.java:400) at org.apache.lucene.util.ArrayUtil.grow(ArrayUtil.java:412) at org.apache.lucene.util.BytesRefBuilder.grow(BytesRefBuilder.java:60) at org.apache.lucene.util.BytesRefBuilder.append(BytesRefBuilder.java:71) at org.apache.lucene.util.BytesRefBuilder.append(BytesRefBuilder.java:78) at org.apache.lucene.util.BytesRefBuilder.append(BytesRefBuilder.java:83) at org.apache.lucene.util.BytesRefBuilder.copyBytes(BytesRefBuilder.java:115) at org.apache.lucene.analysis.miscellaneous.ConcatenateGraphFilter$BytesRefBuilderTermAttributeImpl.copyTo(ConcatenateGraphFilter.java:380) at org.apache.lucene.analysis.miscellaneous.ConcatenateGraphFilter$BytesRefBuilderTermAttributeImpl.clone(ConcatenateGraphFilter.java:386) at org.apache.lucene.util.AttributeSource$State.clone(AttributeSource.java:52) at org.apache.lucene.util.AttributeSource.captureState(AttributeSource.java:302) at org.apache.lucene.analysis.CachingTokenFilter.fillCache(CachingTokenFilter.java:92) at org.apache.lucene.analysis.CachingTokenFilter.incrementToken(CachingTokenFilter.java:70) at org.apache.lucene.util.QueryBuilder.createFieldQuery(QueryBuilder.java:318) at org.apache.lucene.util.QueryBuilder.createFieldQuery(QueryBuilder.java:257) at org.apache.lucene.queryparser.classic.QueryParserBase.newFieldQuery(QueryParserBase.java:468) at org.apache.lucene.queryparser.classic.QueryParserBase.getFieldQuery(QueryParserBase.java:457) at org.apache.lucene.queryparser.classic.QueryParserBase.handleBareTokenQuery(QueryParserBase.java:824) at org.apache.lucene.queryparser.classic.QueryParser.Term(QueryParser.java:494) at org.apache.lucene.queryparser.classic.QueryParser.Clause(QueryParser.java:366) at org.apache.lucene.queryparser.classic.QueryParser.Query(QueryParser.java:251) at org.apache.lucene.queryparser.classic.QueryParser.TopLevelQuery(QueryParser.java:223) at org.apache.lucene.queryparser.classic.QueryParserBase.parse(QueryParserBase.java:136) ... We have added a reproducer zip which contains a README that describes how to reproduce the issue. Reproducer Zip: https://drive.google.com/file/d/1wIbOOZcuEW1uOoTosAtJWxREVwt9imaw/view?usp=sharing Fuzz target: https://github.com/google/oss-fuzz/blob/master/projects/lucene/QueryParserFuzzer.java Note: We have updated the fuzz test in the zip file to simplify the debugging process. OSS-Fuzz issue link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60248 Hint: The provided OSS-Fuzz Issue link is only accessible if the issue is fixed or you are the maintainer of the OSS-Fuzz project. ### Version and environment details _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
