Summary

This article shows how to construct a non-recursive zip bomb that achieves a high compression ratio by overlapping files inside the zip container. "Non-recursive" means that it does not rely on a decompressor's recursively unpacking zip files nested within zip files: it expands fully after a single round of decompression. The output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB → 281 TB) at the limits of the zip format. Even greater expansion is possible using 64-bit extensions. The construction uses only the most common compression algorithm, DEFLATE, and is compatible with most zip parsers.
zbsm.zip 42 kB → 5.5 GB
zblg.zip 10 MB → 281 TB
zbxl.zip 46 MB → 4.5 PB (Zip64, less compatible)

Source code:

git clone https://www.bamsoftware.com/git/zipbomb.git

zipbomb-20190702.zip 

Data and source for figures:

git clone https://www.bamsoftware.com/git/zipbomb-paper.git