[
https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13577593#comment-13577593
]
Douglas Creager commented on AVRO-1237:
---------------------------------------
If you apply just the test case, you get a segfault (or some other undefined
behavior), as Michael describes. If you also apply Michael's fix patch, then
the test case succeeds.
One possible concern with the fix is that is moves responsibility for doing the
bounds check. Before, we would only check the bounds when reading from an
unsafe source — i.e., inside the function that reads the binary data from the
file. Now, we check the bounds inside of the value's {{set_branch}} method.
This has two ramifications: first, it means that we're now performing a bounds
check *every* time we set the branch of a union value, even if we're doing it
from (ostensibly) safe hard-coded C code. Normally the C idiom would be to
only perform the bounds check where we know that it's needed, allowing us to
save cycles when we know that it's not. I'm not completely against the safe
solution, I just wanted to point out the difference.
The second ramification is that every custom value implementation must now be
responsible for performing this bounds check. I don't know if there very many
people writing their own custom value implementations, but this solution does
add a burden to those who do.
Ideally we'd get around both of these issues by doing the bounds check in the
file reader code, as we did before. But, as Michael probably noticed, we don't
easily have access in that function to the number of branches in the underlying
schema. I want to see how difficult it would be to provide that access; if we
can, then I think that would be a cleaner solution.
> Avro-C segfaults when union discriminant out of bounds
> ------------------------------------------------------
>
> Key: AVRO-1237
> URL: https://issues.apache.org/jira/browse/AVRO-1237
> Project: Avro
> Issue Type: Bug
> Components: c
> Environment: Avro-C 1.7.2
> Ubuntu 12.04 x86_64
> Reporter: Michael Cooper
> Attachments:
> 0001-Check-union-discriminant-bounds-in-both-directions.patch,
> 0001-Test-case-for-AVRO-1237.patch, avro-1237-bad-union-discriminant.avro,
> avro-1237-good.avro
>
>
> libavro will segfault when decrypting a specially crafted (or corrupted) avro
> file when the discriminant is out of bounds.
> There is already a check for < 0, but there is no upper bounds check.
> I have attached a patch that checks the bounds.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
