miniex opened a new pull request, #10237:
URL: https://github.com/apache/arrow-rs/pull/10237

   # Which issue does this PR close?
   
   - Closes #10234
   - Closes #10235
   
   # Rationale for this change
   
   The Avro OCF reader trusts two length fields straight from the input, so a 
small crafted file can take down a process that parses untrusted Avro. A block 
size of `i64::MAX` reaches `Vec::reserve` before any payload is read and aborts 
the process on a huge allocation (#10234). A block count of `i64::MAX` spins 
the array/map item loop forever for a zero-byte item type like `null`, and 
`i64::MIN` overflows the negative-count negation (#10235).
   
   # What changes are included in this PR?
   
   - `block.rs`: reserve only what the current input buffer backs, and let the 
rest grow as data arrives.
   - `record.rs`: reject a block item count larger than the bytes left to 
decode, and take the negative-count magnitude with `unsigned_abs`.
   - `cursor.rs`: add `AvroCursor::remaining()`, used by that bound.
   
   A count past the remaining bytes can only describe items that are not there. 
Items that read input each need at least one byte, so only the zero-byte case 
is rejected and valid blocks keep working.
   
   # Are these changes tested?
   
   Yes. The new tests hang or abort before this change and pass after. In 
`reader::block`, an `i64::MAX` block size stays bounded instead of aborting, a 
negative size errors, and a well-formed block still round-trips. In 
`reader::record`, `i64::MAX` and `i64::MIN` block counts on an `array<null>` 
now error instead of spinning the item loop. `fmt --check` and `clippy` are 
clean.
   
   # Are there any user-facing changes?
   
   Malformed Avro OCF input that used to abort or hang now returns a clean 
`AvroError`. There are no public API changes.
   
   ---
   
   I'm Korean, so sorry if any wording reads a little awkward.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to