fix: Limit decompression of UE4 crashes (#1121)

Applies the maximum Envelope size to limit decompression of UE4 crash
archives. This a potential unbounded buffer allocation during
decompression.

Author: jan-auer

CHANGELOG.md

@@ -10,6 +10,8 @@
 **Bug Fixes**:
 
 - Avoid unbounded decompression of encoded requests. A particular request crafted to inflate to large amounts of memory, such as a zip bomb, could put Relay out of memory. ([#1117](https://github.com/getsentry/relay/pull/1117))
+- Avoid unbounded decompression of UE4 crash reports. Some crash reports could inflate to large amounts of memory before being checked for size, which could put Relay out of memory. ([#1121](https://github.com/getsentry/relay/pull/1121))
+
 
 **Internal**:
 

Cargo.lock

@@ -64,7 +64,7 @@ serde = { version = "1.0.114", features = ["derive"] }
 serde_json = "1.0.55"
 serde_urlencoded = "0.7.0"
 smallvec = { version = "1.4.0", features = ["serde"] }
-symbolic = { version = "8.0.4", optional = true, default-features=false, features=["unreal-serde"] }
+symbolic = { version = "8.4.0", optional = true, default-features=false, features=["unreal-serde"] }
 take_mut = "0.2.2"
 tokio = { version = "1.0", features = ["rt-multi-thread"] } # in sync with reqwest
 tokio-timer = "0.2.13"

relay-server/Cargo.toml

@@ -64,6 +64,7 @@ use {
     relay_filter::FilterStatKey,
     relay_general::store::{GeoIpLookup, StoreConfig, StoreProcessor},
     relay_quotas::{RateLimitingError, RedisRateLimiter},
+    symbolic::unreal::{Unreal4Error, Unreal4ErrorKind},
 };
 
 /// The minimum clock drift for correction to apply.
@@ -85,7 +86,7 @@ enum ProcessingError {
 
     #[cfg(feature = "processing")]
     #[fail(display = "invalid unreal crash report")]
-    InvalidUnrealReport(#[cause] symbolic::unreal::Unreal4Error),
+    InvalidUnrealReport(#[cause] Unreal4Error),
 
     #[fail(display = "event payload too large")]
     PayloadTooLarge,
@@ -202,6 +203,16 @@ impl ProcessingError {
     }
 }
 
+#[cfg(feature = "processing")]
+impl From<Unreal4Error> for ProcessingError {
+    fn from(err: Unreal4Error) -> Self {
+        match err.kind() {
+            Unreal4ErrorKind::TooLarge => Self::PayloadTooLarge,
+            _ => ProcessingError::InvalidUnrealReport(err),
+        }
+    }
+}
+
 /// Contains the required envelope related information to create an outcome.
 #[derive(Clone, Copy, Debug)]
 pub struct EnvelopeContext {
@@ -959,12 +970,7 @@ impl EnvelopeProcessor {
         let envelope = &mut state.envelope;
 
         if let Some(item) = envelope.take_item_by(|item| item.ty() == ItemType::UnrealReport) {
-            utils::expand_unreal_envelope(item, envelope)
-                .map_err(ProcessingError::InvalidUnrealReport)?;
-
-            if !utils::check_envelope_size_limits(&self.config, envelope) {
-                return Err(ProcessingError::PayloadTooLarge);
-            }
+            utils::expand_unreal_envelope(item, envelope, &self.config)?;
         }
 
         Ok(())

relay-server/src/actors/envelopes.rs

@@ -1,5 +1,6 @@
+use relay_config::Config;
 use symbolic::unreal::{
-    Unreal4Context, Unreal4Crash, Unreal4Error, Unreal4FileType, Unreal4LogEntry,
+    Unreal4Context, Unreal4Crash, Unreal4Error, Unreal4ErrorKind, Unreal4FileType, Unreal4LogEntry,
 };
 
 use relay_general::protocol::{
@@ -47,9 +48,10 @@ fn get_event_item(data: &[u8]) -> Result<Option<Item>, Unreal4Error> {
 pub fn expand_unreal_envelope(
     unreal_item: Item,
     envelope: &mut Envelope,
+    config: &Config,
 ) -> Result<(), Unreal4Error> {
     let payload = unreal_item.payload();
-    let crash = Unreal4Crash::parse(&payload)?;
+    let crash = Unreal4Crash::parse_with_limit(&payload, config.max_envelope_size())?;
 
     let mut has_event = envelope
         .get_item_by(|item| item.ty() == ItemType::Event)
@@ -86,6 +88,10 @@ pub fn expand_unreal_envelope(
         envelope.add_item(item);
     }
 
+    if !super::check_envelope_size_limits(config, envelope) {
+        return Err(Unreal4ErrorKind::TooLarge.into());
+    }
+
     Ok(())
 }