github-advanced-security[bot] commented on code in PR #16620:
URL: https://github.com/apache/druid/pull/16620#discussion_r1650417685
##########
processing/src/main/java/org/apache/druid/query/groupby/epinephelinae/RowBasedGrouperHelper.java:
##########
@@ -1371,6 +1361,69 @@
);
}
+ @Override
+ public ObjectMapper decorateObjectMapper(ObjectMapper spillMapper)
+ {
+
+ final JsonDeserializer<RowBasedKey> deserializer = new
JsonDeserializer<RowBasedKey>()
+ {
+ @Override
+ public RowBasedKey deserialize(
+ JsonParser jp,
+ DeserializationContext deserializationContext
+ ) throws IOException
+ {
+ if (!jp.isExpectedStartArrayToken()) {
+ throw DruidException.defensive("Expected array start token,
received [%s]", jp.getCurrentToken());
+ }
+ jp.nextToken();
+
+ final ObjectCodec codec = jp.getCodec();
+ final int timestampAdjustment = includeTimestamp ? 1 : 0;
+ final int dimsToRead = timestampAdjustment + serdeHelpers.length;
+ int dimsReadSoFar = 0;
+ final Object[] objects = new Object[dimsToRead];
+
+ while (jp.currentToken() != JsonToken.END_ARRAY) {
+ if (dimsReadSoFar >= dimsToRead) {
+ throw DruidException.defensive("More dimensions encountered than
expected [%d]", dimsToRead);
+ }
+
+ if (includeTimestamp && dimsReadSoFar == 0) {
+ // Read the timestamp
+ objects[dimsReadSoFar] = codec.readValue(jp, Long.class);
+ } else {
+ DruidException.conditionalDefensive(
+ dimsReadSoFar - timestampAdjustment < serdeHelpers.length,
+ "Insufficient serde helpers present"
+ );
+ // Read the dimension
+ serdeHelpers[dimsReadSoFar - timestampAdjustment].getClazz();
+ objects[dimsReadSoFar] =
+ codec.readValue(jp, serdeHelpers[dimsReadSoFar -
timestampAdjustment].getClazz());
Review Comment:
## Array index out of bounds
This array access might be out of bounds, as the index might be equal to the
array length.
[Show more
details](https://github.com/apache/druid/security/code-scanning/7496)
##########
processing/src/main/java/org/apache/druid/query/groupby/epinephelinae/RowBasedGrouperHelper.java:
##########
@@ -1371,6 +1361,69 @@
);
}
+ @Override
+ public ObjectMapper decorateObjectMapper(ObjectMapper spillMapper)
+ {
+
+ final JsonDeserializer<RowBasedKey> deserializer = new
JsonDeserializer<RowBasedKey>()
+ {
+ @Override
+ public RowBasedKey deserialize(
+ JsonParser jp,
+ DeserializationContext deserializationContext
+ ) throws IOException
+ {
+ if (!jp.isExpectedStartArrayToken()) {
+ throw DruidException.defensive("Expected array start token,
received [%s]", jp.getCurrentToken());
+ }
+ jp.nextToken();
+
+ final ObjectCodec codec = jp.getCodec();
+ final int timestampAdjustment = includeTimestamp ? 1 : 0;
+ final int dimsToRead = timestampAdjustment + serdeHelpers.length;
+ int dimsReadSoFar = 0;
+ final Object[] objects = new Object[dimsToRead];
+
+ while (jp.currentToken() != JsonToken.END_ARRAY) {
+ if (dimsReadSoFar >= dimsToRead) {
+ throw DruidException.defensive("More dimensions encountered than
expected [%d]", dimsToRead);
+ }
+
+ if (includeTimestamp && dimsReadSoFar == 0) {
+ // Read the timestamp
+ objects[dimsReadSoFar] = codec.readValue(jp, Long.class);
+ } else {
+ DruidException.conditionalDefensive(
+ dimsReadSoFar - timestampAdjustment < serdeHelpers.length,
+ "Insufficient serde helpers present"
+ );
+ // Read the dimension
+ serdeHelpers[dimsReadSoFar - timestampAdjustment].getClazz();
Review Comment:
## Array index out of bounds
This array access might be out of bounds, as the index might be equal to the
array length.
[Show more
details](https://github.com/apache/druid/security/code-scanning/7495)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
