OwenSanzas opened a new pull request, #3623:
URL: https://github.com/apache/avro/pull/3623
## Summary
Fix missing validation for negative block size values in
`file_read_block_count()` function in `datafile.c`.
## Problem
The block size is read using zigzag encoding which can decode to negative
numbers from malicious Avro container files. These negative values were passed
directly to `avro_malloc()`, causing:
- **allocation-size-too-big** when negative `int64_t` is cast to `size_t`
- Potential crash or undefined behavior when opening malformed `.avro` files
## Changes
- Add `len < 0` check in `file_read_block_count()` before allocation
- Return `EINVAL` with descriptive error message on invalid input
## Testing
Verified with AddressSanitizer fuzzing - crash no longer reproduces.
```
# Before fix:
==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffffff
#1 in file_read_block_count datafile.c:459
# After fix:
No crash - invalid input rejected with error
```
---
Generated with [Claude Code](https://claude.ai/code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
