ods: fix DoS via repeated rows/columns (issue #594)#596
Merged
jmcnamara merged 3 commits intotafia:masterfrom Jan 13, 2026
Merged
ods: fix DoS via repeated rows/columns (issue #594)#596jmcnamara merged 3 commits intotafia:masterfrom
jmcnamara merged 3 commits intotafia:masterfrom
Conversation
Add limits to prevent memory exhaustion from malicious ODS files that declare billions of repeated cells via table:number-rows-repeated and table:number-columns-repeated attributes. Protection layers: - Cap columns per row at MAX_COLUMNS (16,384) - Cap total row repeats at MAX_ROWS (1,048,576) - Cap total cells at MAX_CELLS (100 million) in get_range() These limits match XLSX's existing row/column limits and prevent a 7KB malicious file from attempting to allocate memory for 17+ billion cells. When MAX_CELLS is exceeded, return OdsError::CellLimitExceeded instead of silently returning an empty range. This ensures callers are properly informed of truncation rather than receiving silent data loss.
2 tasks
jmcnamara
reviewed
Jan 13, 2026
Collaborator
jmcnamara
left a comment
jmcnamara
left a comment
There was a problem hiding this comment.
Thanks, good work.
All reviews are comments except for the test which should be changed.
src/ods.rs
Outdated
| match reader.read_event_into(&mut buf) { | ||
| Ok(Event::Start(e)) if e.name() == QName(b"table:table-row") => { | ||
| let row_repeats = match e.try_get_attribute(b"table:number-rows-repeated")? { | ||
| let row_repeats: usize = match e.try_get_attribute(b"table:number-rows-repeated")? { |
Collaborator
There was a problem hiding this comment.
Explicit usize isn't required here. This is minor, and harmless, but the reason I mention it is that an explicit type makes me stop to parse why it is required.
This comment applies to the other places usize has been added without being required. You can decide if they should be implicit types instead.
src/ods.rs
Outdated
Comment on lines
+513
to
+514
| let mut empty_row_repeats = 0usize; | ||
| let mut consecutive_empty_rows = 0usize; |
Collaborator
There was a problem hiding this comment.
I prefer empty_row_repeats = 0_usize for legibility or empty_row_repeats: usize = 0 which you use elsewhere.
The type isn't required for consecutive_empty_rows.
- Use static test file - Remove extra type annotations
jmcnamara
approved these changes
Jan 13, 2026
Collaborator
|
@withzombies Merged. Thanks. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix DoS vulnerability where malicious ODS files can exhaust memory by declaring billions of repeated cells via
table:number-rows-repeatedandtable:number-columns-repeatedXML attributes.OdsError::CellLimitExceededinstead of silently returning empty range when limits exceededFixes #594