Hao Zou created ORC-2167:
----------------------------
Summary: Integer Overflow in PostScript Footer Length Validation
Causes Crash
Key: ORC-2167
URL: https://issues.apache.org/jira/browse/ORC-2167
Project: ORC
Issue Type: Improvement
Components: C++, Format
Reporter: Hao Zou
When parsing an ORC file with an extremely large footer_length value in the
PostScript (e.g., UINT64_MAX), the C++ reader crashes with SIGBUS due to an
integer overflow in the bounds check.
The check fileLength_ < metadataSize + footerLength + postscriptLength_ + 1
uses unsigned addition that can overflow. When footerLength is near UINT64_MAX,
the sum wraps around to a small value, bypassing the validation. Subsequently,
the metadataStart calculation also overflows, leading to an invalid offset and
memory access violation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
