String Loader does not check length of download
complete
Tholin
The newly added String Loader (and presumably also Image Loader) do not check that the size of the downloaded data is actually sane.
By pointing the String Loader to a file 100 Gigabytes in size, I was able to trigger VRChat to slowly use up all available RAM on my system, locking up the operating system and forcing me to power-cycle the machine to recover.
Of note is that I did not do anything to prevent the Content-Length header from being transmitted, meaning the String Loader should've been fully aware from the start that it was going to receive 100GB of data.
Log In
Fax
complete
Thanks for the report! This was fixed last year.
Catsix
Is this new stringloader shit why some avatars now freeze everyone in the instance when it loads in for them?
Kosyne
Catsix: no, this is udon/world stuff, not avatars.
Lush
tracked
miner28_3
Lush: Also, please do make sure to still allow files of around 100MBs to be downloaded! In some cases, people may require a decently large sized file for download.
This will prevent another Canny being made immediately after fix is made to increase the download limit again.
Kosyne
Lush: That, or let the world creator set the size limit (in cases where world creators may allow users to input URLs)
DrBlackRat
That's not really a big problem tbh. Worlds already have a LOT of ways to crash a user, so this doesn't really change anything.
miner28_3
DrBlackRat: Agreed tbh, there's actually worse ways BUT this way has one issue, if worlds have VRCUrlInputField as input for something.. But there's same if not worse with VideoPlayers too xD
Tholin
miner28_3: I'd argue this one is worse, because of how easy it is. It also takes several minutes before the crash happens, and it doesn't happen to everyone at once. Its the perfect storm of fast to execute, easy to set up and incredibly subtle. By the time anyone realizes what's going on, the crasher has long left the instance.
D
Docteh
Tholin: are there any worlds yet that accept arbitrary string URL for input?
Worlds using this feature could make it so that the person who adds the URL loads it first and then gives out the URL.
I think at this point there is plenty of time to fix this before it's an issue. Need a popular world, and somewhere to host a large file. I wonder if windows 10 ISO is enough
miner28_3
Tholin: You can do the exact thing with VideoPlayer as well. It takes many minute to crash with the videoPlayer way and it can't be stopped other than restart
TheCreationKing
DrBlackRat: Issue is this goes beyond a crash, it made them power-cycle. That can harm your system (like if something was mid update), or make you lose data if you didn't save something before this happened.
D
Docteh
I guess that answers the question I had about maximum download size.
I'm surprised that windows doesn't kill process for such leaking.