yiguolei commented on code in PR #63910:
URL: https://github.com/apache/doris/pull/63910#discussion_r3328834842
##########
be/src/util/decompressor.cpp:
##########
@@ -676,6 +676,16 @@ Status SnappyBlockDecompressor::decompress(uint8_t* input,
uint32_t input_len,
&decompressed_small_block_len))
{
return Status::InternalError("Failed to do snappy
decompress.");
}
+ // snappy::RawUncompress writes decompressed_small_block_len bytes
to output_ptr
+ // without a destination-capacity argument, so the header-declared
length must be
+ // checked against the remaining output buffer to avoid an
out-of-bounds write.
+ std::size_t available_output_len = output_max_len - (output_ptr -
output);
+ if (decompressed_small_block_len > available_output_len) {
Review Comment:
please add beut for this case
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
