iemejia opened a new pull request, #3777: URL: https://github.com/apache/avro/pull/3777
## Summary - Backport of #3745 (d28279dace) from master to branch-1.11 - Adds decompression bomb protection to all Avro codecs (Deflate, BZip2, Snappy, XZ, Zstandard) with a configurable limit via system property `org.apache.avro.limits.decompress.maxLength` - Limit checks are enforced in `NonCopyingByteArrayOutputStream` (used by stream-based codecs) and directly in `SnappyCodec` (which uses `ByteBuffer`) ## Java 8 compatibility fixes Since branch-1.11 targets Java 8 while master targets Java 11, the following changes were made on top of the cherry-pick: - Replaced `Objects.checkFromIndexSize()` (Java 9+) with equivalent manual bounds checking - Replaced `ByteArrayOutputStream.writeBytes()` override (Java 11+) with a standalone method delegating to `write(b, 0, b.length)` - Removed unused `java.util.Objects` import ## Testing All 198 tests pass (66 tests x 3 execution modes: default, custom-coders, fast-reader), including: - `NonCopyingByteArrayOutputStreamTest` - 5 new tests for limit enforcement - `TestAllCodecs` - 12 tests covering all codec roundtrips - `TestDataFile*` - full data file read/write tests across all codecs -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
