martin-g commented on code in PR #414:
URL: https://github.com/apache/avro-rs/pull/414#discussion_r2706052596
##########
avro/src/serde/de.rs:
##########
@@ -382,26 +383,241 @@ impl<'de> de::Deserializer<'de> for &Deserializer<'de> {
}
forward_to_deserialize_any! {
- bool i8 i16 i32 i64 u8 u16 u32 u64 f32 f64
+ bool i8 i16 i32 i64 u8 u16 u32 f32 f64
}
- fn deserialize_char<V>(self, _: V) -> Result<V::Value, Self::Error>
+ fn deserialize_u64<V>(self, visitor: V) -> Result<V::Value, Self::Error>
where
V: Visitor<'de>,
{
- Err(de::Error::custom("avro does not support char"))
+ match self.input {
+ Value::Int(i) | Value::Date(i) | Value::TimeMillis(i) => {
+ let n = u64::try_from(*i).map_err(|e|
Details::ConvertI32ToU64(e, *i))?;
+ visitor.visit_u64(n)
+ }
+ Value::Long(i)
+ | Value::TimeMicros(i)
+ | Value::TimestampMillis(i)
+ | Value::TimestampMicros(i)
+ | Value::TimestampNanos(i)
+ | Value::LocalTimestampMillis(i)
+ | Value::LocalTimestampMicros(i)
+ | Value::LocalTimestampNanos(i) => {
+ let n = u64::try_from(*i).map_err(|e|
Details::ConvertI64ToU64(e, *i))?;
+ visitor.visit_u64(n)
+ }
+ Value::Fixed(8, bytes) => {
+ let n =
u64::from_le_bytes(bytes.as_slice().try_into().expect("Size is 8"));
+ visitor.visit_u64(n)
+ }
+ Value::Union(_i, x) => match x.deref() {
+ Value::Int(i) | Value::Date(i) | Value::TimeMillis(i) => {
+ let n = u64::try_from(*i).map_err(|e|
Details::ConvertI32ToU64(e, *i))?;
+ visitor.visit_u64(n)
+ }
+ Value::Long(i)
+ | Value::TimeMicros(i)
+ | Value::TimestampMillis(i)
+ | Value::TimestampMicros(i)
+ | Value::TimestampNanos(i)
+ | Value::LocalTimestampMillis(i)
+ | Value::LocalTimestampMicros(i)
+ | Value::LocalTimestampNanos(i) => {
+ let n = u64::try_from(*i).map_err(|e|
Details::ConvertI64ToU64(e, *i))?;
+ visitor.visit_u64(n)
+ }
+ Value::Fixed(8, bytes) => {
+ let n =
u64::from_le_bytes(bytes.as_slice().try_into().expect("Size is 8"));
+ visitor.visit_u64(n)
+ }
+ _ => Err(de::Error::custom(format!(
+ "Expected a Int|Long|Fixed(8), but got {:?}",
+ self.input
+ ))),
+ },
+ _ => Err(de::Error::custom(format!(
+ "Expected a Int|Long|Fixed(8), but got {:?}",
+ self.input
+ ))),
+ }
+ }
+
+ fn deserialize_u128<V>(self, visitor: V) -> Result<V::Value, Self::Error>
+ where
+ V: Visitor<'de>,
+ {
+ match self.input {
+ Value::Int(i) | Value::Date(i) | Value::TimeMillis(i) => {
+ let n = u128::try_from(*i).map_err(|e|
Details::ConvertI32ToU64(e, *i))?;
+ visitor.visit_u128(n)
+ }
+ Value::Long(i)
+ | Value::TimeMicros(i)
+ | Value::TimestampMillis(i)
+ | Value::TimestampMicros(i)
+ | Value::TimestampNanos(i)
+ | Value::LocalTimestampMillis(i)
+ | Value::LocalTimestampMicros(i)
+ | Value::LocalTimestampNanos(i) => {
+ let n = u128::try_from(*i).map_err(|e|
Details::ConvertI64ToU64(e, *i))?;
+ visitor.visit_u128(n)
+ }
+ Value::Fixed(16, bytes) => {
+ let n =
u128::from_le_bytes(bytes.as_slice().try_into().expect("Size is 16"));
Review Comment:
Let's add a check that `bytes.len() == 16`.
An attacker could produce an .avro file with len=16 but an arbitrary bytes
after it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
