Copilot commented on code in PR #3853:
URL: https://github.com/apache/avro/pull/3853#discussion_r3564611275
##########
lang/c/src/codec.c:
##########
@@ -141,12 +167,27 @@ static int decode_snappy(avro_codec_t c, void * data,
int64_t len)
{
uint32_t crc;
size_t outlen;
+ int64_t max_len = avro_max_decompress_length();
+
+ /* The block carries a trailing 4-byte CRC; a length below that is
+ * malformed and would underflow len - 4. */
+ if (len < 4) {
+ avro_set_error("Snappy block too small (%lld bytes), expected
at least 4",
+ (long long) len);
+ return 1;
+ }
if (snappy_uncompressed_length((const char*)data, len-4, &outlen) !=
SNAPPY_OK) {
avro_set_error("Uncompressed length error in snappy");
return 1;
}
+ if ((int64_t) outlen > max_len) {
+ avro_set_error("Decompressed block size %llu exceeds the
maximum allowed of %lld bytes",
+ (unsigned long long) outlen, (long long)
max_len);
+ return 1;
+ }
Review Comment:
The max-decompressed-length guard in decode_snappy can be bypassed when the
Snappy header declares an uncompressed length > INT64_MAX: casting outlen
(size_t) to int64_t can wrap negative, making the comparison fail and allowing
a huge allocation via avro_malloc(outlen). Compare using size_t (with a safe
conversion of max_len) instead of casting outlen to int64_t.
##########
lang/c/tests/test_avro_4284.c:
##########
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * AVRO-4284: a data-file block is decompressed according to the file's codec.
+ * A block with a very high compression ratio (or a malformed block) can expand
+ * to far more memory than its compressed size. Decompression must reject a
+ * block whose decompressed size would exceed the configured maximum, which
+ * these tests set to a small value via AVRO_MAX_DECOMPRESS_LENGTH.
+ */
+
+#include <avro.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "codec.h"
+
+/* Size of the highly compressible payload used to build an over-large block.
*/
+#define PAYLOAD_SIZE (4 * 1024 * 1024) /* 4 MiB of zeros */
+/* Decompression limit for the test, smaller than the payload. */
+#define TEST_LIMIT "1048576" /* 1 MiB */
+
+/*
+ * Compress `payload` with the named codec and attempt to decompress it with a
+ * decompression limit smaller than the payload. Returns 0 if the codec is not
+ * available (test skipped for that codec), 1 on test failure, 2 on success.
+ */
+static int
+check_codec_rejects_oversized(const char *name, const char *payload, int64_t
payload_len)
+{
+ struct avro_codec_t_ codec;
+ memset(&codec, 0, sizeof(codec));
+
+ if (avro_codec(&codec, name) != 0) {
+ fprintf(stderr, " codec %s not available, skipping\n", name);
+ return 0;
+ }
+
+ if (avro_codec_encode(&codec, (void *) payload, payload_len) != 0) {
+ fprintf(stderr, " codec %s: encode failed: %s\n", name,
avro_strerror());
+ avro_codec_reset(&codec);
+ return 1;
+ }
+
+ /* Copy the compressed bytes; decode reuses the codec's block buffer. */
+ int64_t compressed_len = codec.used_size;
+ if (compressed_len <= 0) {
+ fprintf(stderr, " codec %s: unexpected compressed length
%lld\n",
+ name, (long long) compressed_len);
+ avro_codec_reset(&codec);
+ return 1;
+ }
+ char *compressed = (char *) malloc((size_t) compressed_len);
+ if (compressed == NULL) {
+ avro_codec_reset(&codec);
+ return 1;
+ }
+ memcpy(compressed, codec.block_data, (size_t) compressed_len);
+
+ int rc = avro_codec_decode(&codec, compressed, compressed_len);
+
+ free(compressed);
+ avro_codec_reset(&codec);
+
+ if (rc == 0) {
+ fprintf(stderr, " codec %s: expected decompression to be
rejected but it succeeded\n", name);
+ return 1;
+ }
+ fprintf(stderr, " codec %s: over-limit block rejected as expected\n",
name);
+ return 2;
Review Comment:
The test treats any non-zero return from avro_codec_decode as success, so it
could pass even if decoding fails for an unrelated reason (e.g., CRC failure or
other regression) rather than specifically enforcing the
max-decompressed-length rejection. Capture and assert the error message
indicates the size limit was hit.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]