etseidl commented on code in PR #9868:
URL: https://github.com/apache/arrow-rs/pull/9868#discussion_r3184512738
##########
parquet/src/parquet_thrift.rs:
##########
@@ -686,8 +704,18 @@ where
R: ThriftCompactInputProtocol<'a>,
T: ReadThrift<'a, R>,
{
+ // `read_list_begin` rejects sizes above `i32::MAX`; `try_reserve_exact`
+ // catches the remaining attacker-controlled allocation case so a
+ // malformed `size` cannot trigger a `Vec::with_capacity` panic.
let list_ident = prot.read_list_begin()?;
- let mut res = Vec::with_capacity(list_ident.size as usize);
+ let len = list_ident.size as usize;
+ let mut res: Vec<T> = Vec::new();
+ if res.try_reserve_exact(len).is_err() {
Review Comment:
Because `try_reserve` might overallocate speculatively, but we know the
exact length up front.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
