OwenSanzas opened a new pull request, #3622:
URL: https://github.com/apache/avro/pull/3622
## Summary
Fix missing validation for negative length values in `read_bytes()` and
`read_string()` functions in `encoding_binary.c`.
## Problem
The `read_long()` function uses zigzag encoding which can decode to negative
numbers from malicious input. These negative values were passed directly to
`avro_malloc()`, causing:
- **allocation-size-too-big** when negative `int64_t` is cast to `size_t`
- Potential crash or undefined behavior
## Changes
- Add `len < 0` check in `read_bytes()` before allocation
- Add `str_len < 0` check in `read_string()` before allocation
- Return `EINVAL` with descriptive error message on invalid input
## Testing
Verified with AddressSanitizer fuzzing - crash no longer reproduces.
```
# Before fix:
==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffffe9
#1 in read_string encoding_binary.c:179
# After fix:
No crash - invalid input rejected with error
```
---
Generated with [Claude Code](https://claude.ai/code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
