A Java OutofMemoryError occurs if the program attempts to use more heap space than what is available. Among other causes, this error may result from
- a memory leak
- an infinite loop
- limited amounts of default heap memory available
- incorrect implementation of common data structures (hash tables, vectors and so on)
- unbound deserialization
- writing a large number of objects to an
ObjectOutputStream - creating a large number of threads
Noncompliant Code Example (readLine())
This noncompliant code example reads lines of text from a file, and adds each one to a vector, until a line with the word "quit" is encountered.
class ShowHeapError {
private Vector<String> names = new Vector<String>();
private final InputStreamReader input;
private final BufferedReader reader;
public ShowHeapError(String filename) throws IOException {
this.input = new FileReader(filename);
this.reader = new BufferedReader(input);
}
public void addNames() throws IOException {
String newName;
while (((newName = reader.readLine()) != null) &&
(newName.equalsIgnoreCase("quit") == false)) {
names.addElement(newName);
System.out.println("adding " + newName);
}
input.close();
}
public static void main(String[] args) throws IOException {
if (args.length != 1) {
System.out.println("Arguments: [filename]");
return;
}
ShowHeapError demo = new ShowHeapError(args[0]);
demo.addNames();
}
}
The code places no upper bounds on the memory space required to execute the program. Consequently, the program can easily exhaust the available heap space in two ways. First, an attacker can supply arbitrarily many lines in the file, causing the vector to grow until memory is exhausted. Second, an attacker can simply supply an arbitrarily long line, causing the readLine() method to exhaust memory. According to the Java API [[API 2006]], BufferedReader.readLine() method documentation
[
readLine()] Reads a line of text. A line is considered to be terminated by any one of a line feed ('\n'), a carriage return ('\r'), or a carriage return followed immediately by a linefeed.
Any code that uses this method is susceptible to abuse because the user can enter a string of any length.
Compliant Solution (limited length input)
This compliant solution imposes limits, both on the length of each line, and on the total number of items to add to the vector.
class ShowHeapError {
// ... other methods
static public String readLimitedLine(Reader reader, int limit) throws IOException {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < limit; i++) {
int c = reader.read();
if (c == -1) {
return null;
}
if (((char) c == '\n') || ((char) c == '\r')) {
break;
}
sb.append((char) c);
}
return sb.toString();
}
static public final int lineLengthLimit = 1024;
static public final int lineCountLimit = 1000000;
public void addNames() throws IOException {
String newName;
for (int i = 0; i < lineCountLimit; i++) {
newName = readLimitedLine( reader, lineLengthLimit);
if (newName == null) {
break;
}
if (newName.equalsIgnoreCase("quit")) {
break;
}
names.addElement(newName);
System.out.println("adding " + newName);
}
input.close();
}
}
The readLimitedLine() method defined above takes a numeric limit, indicating the total number of characters that may exist on one line. If a line contains more characters, the line is truncated, and they are returned on the next invocation. This prevents an attacker from exhausting memory by supplying input with no line breaks.
Compliant Solution (Java 1.7, limited file size)
This compliant solution impose a limit on the size of the file being read. This is accomplished with the Files.size() method which is new to Java 1.7. If the file is within the limit, we can assume the standard readLine() method will not exhaust memory, nor will memory be exhausted by the while loop.
class ShowHeapError {
// ...other methods
static public final int fileSizeLimit = 1000000;
public ShowHeapError(String filename) throws IOException {
if (Files.size( Paths.get( filename)) > fileSizeLimit) {
throw new IOException("File too large");
}
this.input = new FileReader(filename);
this.reader = new BufferedReader(input);
}
Noncompliant Code Example
In a server-class machine using a parallel garbage collector, the default initial and maximum heap sizes are as follows for J2SE 6.0 [[Sun 2006]]:
- initial heap size: larger of 1/64th of the machine's physical memory on the machine or some reasonable minimum
- maximum heap size: smaller of 1/4th of the physical memory or 1GB
This noncompliant code example requires more memory on the heap than is available by default.
/** Assuming the heap size as 512 MB (calculated as 1/4th of 2 GB RAM = 512 MB)
* Considering long values being entered (64 bits each, the max number of elements
* would be 512 MB/64bits = 67108864)
*/
public class ShowHeapError {
Vector<Long> names = new Vector<Long>(); // Accepts unknown number of records
long newID = 0L;
int count = 67108865;
int i = 0;
InputStreamReader input = new InputStreamReader(System.in);
Scanner reader = new Scanner(input);
public void addNames() {
do {
// Adding unknown number of records to a list
// The user can enter more IDs than the heap can support and thus
// exhaust the heap. Assume that the record ID is a 64 bit long value
System.out.print("Enter recordID (To quit, enter -1): ");
newID = reader.nextLong();
names.addElement(newID);
i++;
}while (i < count || newID != -1);
// Close "reader" and "input"
}
public static void main(String[] args) {
ShowHeapError demo = new ShowHeapError();
demo.addNames();
}
}
Compliant Solution
A simple compliant solution is to lower the number of names to read.
// ... int count = 10000000; // ...
Compliant Solution
The OutOfMemoryError can be avoided by ensuring that the absence of infinite loops, memory leaks, and unnecessary object retention. When memory requirements are known ahead of time, the heap size can be tailored to fit the requirements using the following runtime parameters [[Java 2006]]:
java -Xms<initial heap size> -Xmx<maximum heap size>
For example,
java -Xms128m -Xmx512m ShowHeapError
Here the initial heap size is set to 128 MB and the maximum heap size to 512 MB.
This setting can be changed either using the Java Control Panel or from the command line. It cannot be adjusted through the application itself.
Risk Assessment
Assuming that infinite heap space is available can result in denial of service.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MSC11-J |
low |
probable |
medium |
P4 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website
Other Languages
This rule appears in the C Secure Coding Standard as MEM11-C. Do not assume infinite heap space.
This rule appears in the C++ Secure Coding Standard as MEM12-CPP. Do not assume infinite heap space.
Related Vulnerabilities
Bibliography
[[Sun 2006]] Garbage Collection Ergonomics
, "Default values for the Initial and Maximum heap size"
[[Java 2006]] java - the Java application launcher, "Syntax for increasing the heap size"
[[Sun 2003]] Chapter 5: Tuning the Java Runtime System, Tuning the Java Heap
[[API 2006]] Class ObjectInputStream and ObjectOutputStream
[[SDN 2008]] Serialization FAQ
[[MITRE 2009]] CWE-400 "Uncontrolled Resource Consumption ('Resource Exhaustion')," CWE-770, "Allocation of Resources Without Limits or Throttling"
MSC10-J. Limit the lifetime of sensitive data 49. Miscellaneous (MSC) MSC12-J. Prefer using Iterators over Enumerations