Jens Geyer created THRIFT-6034:
----------------------------------
Summary: Harden Dart protocol negative sizes
Key: THRIFT-6034
URL: https://issues.apache.org/jira/browse/THRIFT-6034
Project: Thrift
Issue Type: Bug
Components: Dart - Library
Reporter: Jens Geyer
The Dart library does not validate negative sizes at the protocol level when
reading Thrift payloads.
Size values appear in binary/string fields and in map/list/set headers. Those
values must be non-negative. In {{t_binary_protocol.dart}}, the
{{readMapBegin}}, {{readListBegin}}, {{readSetBegin}}, {{readString}}, and
{{readBinary}} methods read a size and use it without any negative check.
While a negative size will eventually cause a Dart {{RangeError}} (e.g. from
{{Uint8List(-1)}}), this is not a proper TProtocolException and provides no
structured error information to callers.
Note: the existing {{size < 0}} check is only in {{readMessageBegin}} for
protocol version detection.
This is a protocol hardening gap compared with other runtimes such as C++,
Java, Python, Go, and Node.js, which all raise a NEGATIVE_SIZE exception.
The fix should add explicit negative-size checks that throw a
TProtocolException in all container and string/binary read paths.
See THRIFT-6025 for the equivalent Ruby fix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
