A Better Zip Bomb

Summary

A better zip bomb David Fifield david@bamsoftware.com 2019-07-02 updated 2019-07-03, 2019-07-05, 2019-07-06, 2019-07-08, 2019-07-18, 2019-07-20, 2019-07-22, 2019-07-24, 2019-08-05, 2019-08-19, 2019-08-22, 2019-10-14, 2019-10-18, 2019-10-30, 2019-11-28, 2020-07-28, 2021-01-21, 2021-02-02, 2021-05-03, 2021-07-29, 2023-05-18 Summary This article shows how to construct a non-recursive zip bomb that achieves a high compression ratio by overlapping files inside the zip container. "Non-recursive" means that it does not rely on a decompressor's recursively unpacking zip files nested within zip files: it expands fully after a single round of decompression. The output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB → 281 TB) at the limits of the zip format. Even greater expansion is possible using 64-bit extensions. The construction uses only the most common compression algorithm, DEFLATE, and is compatible with most zip parsers. Source code: git clone https://www.bamsoftware.com/git/zipbomb.git zipbomb-20210121.zip Data and source for figures: git clone https://www.bamsoftware.com/git/zipbomb-paper.git Presentation video Русский перевод от @m1rko. 中文翻译: 北岸冷若冰霜. There are two versions of 42.zip, an older version of 42 374 bytes, and a newer version of 42 838 bytes. The difference is that the newer version requires a password before unzipping. We compare only against the older version. Here is a copy if you need it: 42.zip. non-recursive recursive zipped size unzipped size ratio unzipped size ratio Cox quine 440 440 1.0 ∞ ∞ Ellingsen quine 28 809 42 569 1.5 ∞ ∞ 42.zip 42 374 558 432 13.2 4 507 981 343 026 016 106 billion this technique 42 374 5 461 307 620 129 thousand 5 461 307 620 129 thousand this technique 9 893 525 281 395 456 244 934 28 million 281 395 456 244 934 28 million this technique (Zip64) 45 876 952 4 507 981 427 706 459 98 million 4 507 981 427 706 459 98 million On 2023-05-16 there appeared https://42.zip/...