(avro) branch main updated: AVRO-3635: Disallow skipping a negative amount of bytes (#2997)

Sun, 07 Jul 2024 11:42:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

opwvhk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/avro.git


The following commit(s) were added to refs/heads/main by this push:
     new 9233d6435 AVRO-3635: Disallow skipping a negative amount of bytes 
(#2997)
9233d6435 is described below

commit 9233d64356c782141b8d2c1abd70371d7ad6e0d1
Author: Oscar Westra van Holthe - Kind <[email protected]>
AuthorDate: Sun Jul 7 20:41:12 2024 +0200

    AVRO-3635: Disallow skipping a negative amount of bytes (#2997)
    
    This is what all other implementations of this method do, and fixes
    infinite loops due to malicious data.
---
 .../src/main/java/org/apache/avro/io/BinaryDecoder.java     | 13 ++++++++-----
 .../src/test/java/org/apache/avro/io/TestBinaryDecoder.java |  1 +
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java 
b/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java
index 95030c4a6..7217be3ad 100644
--- a/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java
+++ b/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java
@@ -17,17 +17,17 @@
  */
 package org.apache.avro.io;
 
+import org.apache.avro.AvroRuntimeException;
+import org.apache.avro.InvalidNumberEncodingException;
+import org.apache.avro.SystemLimitException;
+import org.apache.avro.util.Utf8;
+
 import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.ByteBuffer;
 import java.util.Arrays;
 
-import org.apache.avro.AvroRuntimeException;
-import org.apache.avro.InvalidNumberEncodingException;
-import org.apache.avro.SystemLimitException;
-import org.apache.avro.util.Utf8;
-
 /**
  * An {@link Decoder} for binary-format data.
  * <p/>
@@ -338,6 +338,9 @@ public class BinaryDecoder extends Decoder {
   }
 
   protected void doSkipBytes(long length) throws IOException {
+    if (length <= 0) {
+      return;
+    }
     int remaining = limit - pos;
     if (length <= remaining) {
       pos = (int) (pos + length);
diff --git 
a/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java 
b/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java
index 805335857..b9437bd8a 100644
--- a/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java
+++ b/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java
@@ -661,6 +661,7 @@ public class TestBinaryDecoder {
       // booleans are one byte, array trailer is one byte
       bd.skipFixed((int) leftover + 1);
       bd.skipFixed(0);
+      bd.skipFixed(-8); // Should be a no-op; see AVRO-3635
       bd.readLong();
     }
     EOFException eof = null;

Reply via email to