JakeDern opened a new pull request, #8097: URL: https://github.com/apache/arrow-rs/pull/8097
# Which issue does this PR close? No issue filed. # Rationale for this change We allocate memory based on metadata length - If an untrusted client writes a meta len of < 0 then we'll allocate a large number of bytes due to sign extension and likely panic. # What changes are included in this PR? - Update StreamReader in both places it reads metadata length for < 0 which is at the start of the stream to read the schema, and in the middle of the stream between each message. # Are these changes tested? Yes, tests for both reads are added # Are there any user-facing changes? No -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
