[
https://issues.apache.org/jira/browse/AVRO-4292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ismaël Mejía updated AVRO-4292:
-------------------------------
Description:
A bytes or string value is encoded as a length prefix followed by that many
bytes of data, and an array or map block is encoded as an element count
followed by that many items. A malicious or truncated input can declare a very
large length or count while carrying little or no actual data, causing a
correspondingly large allocation before the shortfall is noticed.
AVRO-4241 addressed the length-prefix case in the Java SDK by verifying, when
the source can report how many bytes remain, that a declared length does not
exceed the bytes actually available before allocating for it. This umbrella
applies the equivalent guard to the other language SDKs and extends it to
collections:
- Length-prefixed bytes/string: reject a declared length that exceeds the bytes
actually available (the JavaScript SDK already bounds these against its
in-memory buffer).
- Collections: reject a block whose element count could not be backed by the
bytes remaining, using the minimum on-wire size of the element schema so
zero-byte element types (e.g. null) are not falsely rejected.
- Zero-byte element collections: because zero-byte elements consume no input
they bypass the available-bytes check, so additionally cap the cumulative item
count of such blocks (e.g. array<null> with a huge block count), apply a
structural cap to all collections, and bound the array/map skip paths so
skipping a huge block cannot loop unboundedly. This subsumes the separate
collection-limit work previously tracked under AVRO-4277, which is now
superseded by this issue.
Sub-tasks: C (AVRO-4293), C++ (AVRO-4294), C# (AVRO-4295), Python (AVRO-4296),
Ruby (AVRO-4297), PHP (AVRO-4298), Perl (AVRO-4299), Java (AVRO-4300), and
JavaScript (AVRO-4301). The zero-byte-element cap, structural cap and skip
bounding are included for C, C++, Python, PHP, Perl, Java and JavaScript; C#
and Ruby currently carry the available-bytes checks plus negative-length and
overflow hardening.
was:
A bytes or string value is encoded as a length prefix followed by that many
bytes of data, and an array or map block is encoded as an element count
followed by that many items. A malicious or truncated input can declare a very
large length or count while carrying little or no actual data, causing a
correspondingly large allocation before the shortfall is noticed.
AVRO-4241 addressed the length-prefix case in the Java SDK by verifying, when
the source can report how many bytes remain, that a declared length does not
exceed the bytes actually available before allocating for it. This umbrella
applies the equivalent guard to the other language SDKs and extends it to
collections:
- Length-prefixed bytes/string: reject a declared length that exceeds the bytes
actually available (the JavaScript SDK already bounds against its in-memory
buffer).
- Collections: reject a block whose element count could not be backed by the
bytes remaining, using the minimum on-wire size of the element schema so
zero-byte element types (e.g. null) are not falsely rejected.
- Zero-byte element collections: because zero-byte elements consume no input
they bypass the available-bytes check, so additionally cap the cumulative item
count of such blocks (e.g. array<null> with a huge block count), apply a
structural cap to all collections, and bound the array/map skip paths so
skipping a huge block cannot loop unboundedly. This subsumes the separate
collection-limit work previously tracked under AVRO-4277, which is now
superseded by this issue.
Sub-tasks: C (AVRO-4293), C++ (AVRO-4294), C# (AVRO-4295), Python (AVRO-4296),
Ruby (AVRO-4297), PHP (AVRO-4298), Perl (AVRO-4299), and Java (AVRO-4300). The
zero-byte-element cap, structural cap and skip bounding are included for C,
C++, Python, PHP, Perl and Java; C# and Ruby currently carry the
available-bytes checks plus negative-length and overflow hardening.
> Bound allocation when decoding length-prefixed values and collections
> ---------------------------------------------------------------------
>
> Key: AVRO-4292
> URL: https://issues.apache.org/jira/browse/AVRO-4292
> Project: Apache Avro
> Issue Type: Bug
> Affects Versions: 1.11.5, 1.12.1
> Reporter: Ismaël Mejía
> Assignee: Ismaël Mejía
> Priority: Major
> Fix For: 1.13.0, 1.11.6, 1.12.2
>
>
> A bytes or string value is encoded as a length prefix followed by that many
> bytes of data, and an array or map block is encoded as an element count
> followed by that many items. A malicious or truncated input can declare a
> very large length or count while carrying little or no actual data, causing a
> correspondingly large allocation before the shortfall is noticed.
> AVRO-4241 addressed the length-prefix case in the Java SDK by verifying, when
> the source can report how many bytes remain, that a declared length does not
> exceed the bytes actually available before allocating for it. This umbrella
> applies the equivalent guard to the other language SDKs and extends it to
> collections:
> - Length-prefixed bytes/string: reject a declared length that exceeds the
> bytes actually available (the JavaScript SDK already bounds these against its
> in-memory buffer).
> - Collections: reject a block whose element count could not be backed by the
> bytes remaining, using the minimum on-wire size of the element schema so
> zero-byte element types (e.g. null) are not falsely rejected.
> - Zero-byte element collections: because zero-byte elements consume no input
> they bypass the available-bytes check, so additionally cap the cumulative
> item count of such blocks (e.g. array<null> with a huge block count), apply a
> structural cap to all collections, and bound the array/map skip paths so
> skipping a huge block cannot loop unboundedly. This subsumes the separate
> collection-limit work previously tracked under AVRO-4277, which is now
> superseded by this issue.
> Sub-tasks: C (AVRO-4293), C++ (AVRO-4294), C# (AVRO-4295), Python
> (AVRO-4296), Ruby (AVRO-4297), PHP (AVRO-4298), Perl (AVRO-4299), Java
> (AVRO-4300), and JavaScript (AVRO-4301). The zero-byte-element cap,
> structural cap and skip bounding are included for C, C++, Python, PHP, Perl,
> Java and JavaScript; C# and Ruby currently carry the available-bytes checks
> plus negative-length and overflow hardening.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)