[ https://issues.apache.org/jira/browse/AVRO-1610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15456575#comment-15456575 ]
Ryan Blue commented on AVRO-1610: --------------------------------- You can paste it in a comment, I can grab the raw comment source. You may also be able to surround it in a verbatim area, the docs for it are here: https://jira.atlassian.com/secure/WikiRendererHelpAction.jspa?section=advanced > HttpTransceiver.java allocates arbitrary amount of memory > --------------------------------------------------------- > > Key: AVRO-1610 > URL: https://issues.apache.org/jira/browse/AVRO-1610 > Project: Avro > Issue Type: Bug > Components: java > Affects Versions: 1.7.7 > Reporter: Philip Zeyliger > > In {{HttpTransceiver.java}}, Avro does: > {code} > int length = (in.read()<<24)+(in.read()<<16)+(in.read()<<8)+in.read(); > if (length == 0) { // end of buffers > return buffers; > } > ByteBuffer buffer = ByteBuffer.allocate(length); > {code} > This means that badly formatted input (like that produced by {{curl > http://host/ --data foo}} and many common security scanners) will trigger an > OutOfMemory exception. This is undesirable, especially combined with setups > that kill the process on out of memory exceptions. > This bug is similar in spirit to AVRO-1111. -- This message was sent by Atlassian JIRA (v6.3.4#6332)