[
https://issues.apache.org/jira/browse/AVRO-1610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15456575#comment-15456575
]
Ryan Blue commented on AVRO-1610:
---------------------------------
You can paste it in a comment, I can grab the raw comment source.
You may also be able to surround it in a verbatim area, the docs for it are
here:
https://jira.atlassian.com/secure/WikiRendererHelpAction.jspa?section=advanced
> HttpTransceiver.java allocates arbitrary amount of memory
> ---------------------------------------------------------
>
> Key: AVRO-1610
> URL: https://issues.apache.org/jira/browse/AVRO-1610
> Project: Avro
> Issue Type: Bug
> Components: java
> Affects Versions: 1.7.7
> Reporter: Philip Zeyliger
>
> In {{HttpTransceiver.java}}, Avro does:
> {code}
> int length = (in.read()<<24)+(in.read()<<16)+(in.read()<<8)+in.read();
> if (length == 0) { // end of buffers
> return buffers;
> }
> ByteBuffer buffer = ByteBuffer.allocate(length);
> {code}
> This means that badly formatted input (like that produced by {{curl
> http://host/ --data foo}} and many common security scanners) will trigger an
> OutOfMemory exception. This is undesirable, especially combined with setups
> that kill the process on out of memory exceptions.
> This bug is similar in spirit to AVRO-1111.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
