[ 
https://issues.apache.org/jira/browse/AVRO-4275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ismaël Mejía resolved AVRO-4275.
--------------------------------
    Resolution: Duplicate

Superseded by AVRO-4293. The INT64_MIN block-count negation fix for [C] has 
been folded into that issue's PR (https://github.com/apache/avro/pull/3858) 
together with the broader collection allocation bounding, forming a single 
complete fix for the C SDK. Resolving as a duplicate/superseded; the standalone 
PR here is closed in favour of #3858.

> [C] Signed integer overflow in read_array_value / read_map_value negation of 
> block_count
> ----------------------------------------------------------------------------------------
>
>                 Key: AVRO-4275
>                 URL: https://issues.apache.org/jira/browse/AVRO-4275
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: c
>    Affects Versions: 1.11.5, 1.12.1
>            Reporter: Ismaël Mejía
>            Assignee: Ismaël Mejía
>            Priority: Critical
>              Labels: pull-request-available
>          Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> The C SDK binary value decoder in {{lang/c/src/value-read.c}} negates 
> {{block_count}} unconditionally when the value is negative:
> {code:c}
> // read_array_value(), line 56:
> block_count = block_count * -1;
> // read_map_value(), line 92:
> block_count = block_count * -1;
> {code}
> Per the Avro spec, a negative block count indicates that the absolute value 
> is the item count, followed by a block byte-size prefix. However, certain 
> negative values cannot be safely negated in {{int64_t}} -- the multiplication 
> is signed-integer overflow (undefined behavior in C, CWE-190). On common 
> platforms the result remains negative; the subsequent cast to {{size_t}} in 
> the loop condition then yields an extremely large iteration count, driving 
> unbounded memory allocation until process exhaustion.
> This is the C SDK counterpart to the Java SDK issue fixed in 1.11.3 via 
> {{SystemLimitException.checkMaxCollectionLength}}. The C++ SDK equivalent was 
> fixed in AVRO-4228.
> *Affected versions:* All releases of the C SDK up to and including 1.12.0.
> *Fix:* Replace the unsafe multiplication-based negation with the 
> overflow-safe idiom used in the C++ fix (AVRO-4228), followed by a validity 
> guard that rejects non-positive results:
> {code:c}
> block_count = -(block_count + 1) + 1;
> if (block_count <= 0) {
>     avro_set_error("Invalid array block count");
>     return EINVAL;
> }
> {code}
> This eliminates the undefined behavior, rejects invalid input gracefully, and 
> preserves correct handling of all legitimate negative block counts.
> *Reported by:* Brian Lee (Georgia Tech SSLab)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to