[jira] [Created] (AVRO-2219) std::bad_alloc when String or Bytes field has a negative length

Tue, 11 Sep 2018 13:40:27 -0700 

Victor Mota created AVRO-2219:
---------------------------------

             Summary: std::bad_alloc when String or Bytes field has a negative 
length
                 Key: AVRO-2219
                 URL: https://issues.apache.org/jira/browse/AVRO-2219
             Project: Avro
          Issue Type: Bug
          Components: c++
            Reporter: Victor Mota
            Assignee: Victor Mota
         Attachments: 
poc-18e554fc65b937059584f21805da4b598f2266290f19d764da2c30ca1c829d0a (3)

Attached is a sample file created by our Fuzzer running on the C++ library that 
causes an std::bad_alloc due to the string or byte field having an invalid 
negative integer length. The fix is trivial I'll send out a PR soon but it's 
something like:

 
void 
[BinaryDecoder|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=32L&vl=r4&vr=r5]::[decodeString|https://cs.corp.google.com/piper///depot/google3/third_party/avro/impl/BinaryDecoder.cc?gs=kythe://google3?lang%3Dc%25252B%25252B?path%3Dthird_party/avro/impl/BinaryDecoder.cc%23HOEWt6Dw4RkUnJssxpcoW532gsFPskRii2nJqfKF3rw%25253D&gsn=decodeString&ct=xref_usages&l=118](std::[string|https://cs.corp.google.com/piper///depot/google3/third_party/avro/impl/BinaryDecoder.cc?gs=kythe:?lang%3Dc%25252B%25252B%23aNAOYo6ePU%25252BJkGNLSO9M0mc%25252FpnHyEtt%25252BNoa3HkTA6mU%25253D&gsn=string&ct=xref_usages&l=118]&;
 
[value|https://cs.corp.google.com/piper///depot/google3/third_party/avro/impl/BinaryDecoder.cc?gs=kythe://google3?lang%3Dc%25252B%25252B?path%3Dthird_party/avro/impl/BinaryDecoder.cc%2306jCPFb9xMz8I%25252F%25252FUFvSwQqRxSHQuHtS8k%25252Bc%25252BOSKwgE8%25253D&gsn=value&ct=xref_usages&l=118]){
    // Preserve the sign to avoid allocating memory if len is negative.    
[ssize_t|https://cs.corp.google.com/piper///depot/google3/third_party/avro/impl/BinaryDecoder.cc?gs=kythe:?lang%3Dc%25252B%25252B%23rdxmLg55bvPgDGvJB6GORzx%25252FCY6%25252F%25252FqOgpeirkOwM1R8%25253D&gsn=ssize_t&ct=xref_usages&l=121]
 
[len|https://cs.corp.google.com/piper///depot/google3/third_party/avro/impl/BinaryDecoder.cc?gs=kythe://google3?lang%3Dc%25252B%25252B?path%3Dthird_party/avro/impl/BinaryDecoder.cc%238SQ9P7AT2rR9PHXHKhlc7skksFGDu7VGjw6sXZzc0Hg%25253D&gsn=len&ct=xref_usages&l=121]
 = 
[decodeInt|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=89L&vl=r4&vr=r5]();
    if 
([len|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=121L&vr=r5]
 < 0) {      throw 
[Exception|https://cs.corp.google.com/piper///depot/google3/third_party/avro/api/Exception.hh?ct=xref_jump_to_def&cl=GROK&l=39](
          
[boost|https://cs.corp.google.com/piper///depot/google3/third_party/boost/do_not_include_from_google3_only_third_party/boost/boost/format/format_implementation.hpp?ct=xref_jump_to_def&cl=GROK&l=28]::[format|https://cs.corp.google.com/piper///depot/google3/third_party/boost/do_not_include_from_google3_only_third_party/boost/boost/format/format_fwd.hpp?ct=xref_jump_to_def&cl=GROK&l=27]("Cannot
 have a string of negative length: %1%") % 
[len|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=121L&vr=r5]);
    }    
[value|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=118L&vl=r4&vr=r5].[resize|https://cs.corp.google.com/piper///depot/google3/third_party/crosstool/v18/stable/toolchain/x86_64-grtev4-linux-gnu/include/c%2B%2B/4.9.x-google/bits/basic_string.h?ct=xref_jump_to_def&cl=GROK&l=761]([len|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=121L&vr=r5]);
    if 
([len|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=121L&vr=r5]
 > 0) {        
[in_|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=33L&vl=r4&vr=r5].[readBytes|https://cs.corp.google.com/piper///depot/google3/third_party/avro/api/Stream.hh?ct=xref_jump_to_def&cl=GROK&l=259](reinterpret_cast<uint8_t*>(&value[0]),
 
[len|https://critique.corp.google.com/#review/173699499/depot/google3/third_party/avro/impl/BinaryDecoder.cc&l=121L&vr=r5]);
    }}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to