Deho Kim created AVRO-4270:
------------------------------
Summary: Fix wrong schema accessor in avro_generic_map_class
Key: AVRO-4270
URL: https://issues.apache.org/jira/browse/AVRO-4270
Project: Apache Avro
Issue Type: Bug
Components: c
Affects Versions: 1.12.1
Reporter: Deho Kim
Fix For: 1.13.0
## What is the purpose of the change
`avro_generic_map_class()` in `lang/c/src/generic.c` incorrectly calls
`avro_schema_array_items(schema)` instead of `avro_schema_map_values(schema)`.
This is a copy-paste bug from the array class implementation.
The wrong accessor reinterprets a MAP schema pointer as an ARRAY schema type.
Under UndefinedBehaviorSanitizer with `-fno-sanitize-recover`, this triggers a
fatal diagnostic. Without sanitizers the code silently returns the correct value
today because `avro_array_schema_t` and `avro_map_schema_t` share the same
memory layout, but this is fragile and will break if the struct layouts diverge.
Fixes AVRO-XXXX.
## Verifying this change
This change can be verified as follows:
- Built the C library with ASan + UBSan:
`-fsanitize=address,undefined -fno-sanitize-recover=undefined -g -O1`
- Ran a custom `value_reader_fuzzer` targeting `avro_value_read()` with a
PoC input that selects a `\{"type":"map","values":"string"}` schema
- Before fix: UBSan aborts in the map value initialization path
- After fix: no UBSan diagnostic; input is processed normally
Discovered by FuzzingBrain @O2Lab.
## Documentation
- Does this pull request introduce a new feature? (yes / no)
**no**
- If yes, how is the feature documented? (not applicable / docs / JavaDocs /
not documented)
**not applicable**
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
