iemejia commented on code in PR #3858:
URL: https://github.com/apache/avro/pull/3858#discussion_r3566892952


##########
lang/c/src/map.c:
##########
@@ -109,13 +109,14 @@ int avro_raw_map_get_or_create(avro_raw_map_t *map, const 
char *key,
                i = map->elements.element_count;
                avro_raw_map_entry_t  *raw_entry =
                    (avro_raw_map_entry_t *) 
avro_raw_array_append(&map->elements);
-               raw_entry->key = avro_strdup(key);
-               st_insert((st_table *) map->indices_by_key,
-                         (st_data_t) raw_entry->key, (st_data_t) i);
                if (!raw_entry) {
-                       avro_str_free((char*)raw_entry->key);
+                       /* avro_raw_array_append returns NULL on allocation
+                        * failure; check before dereferencing it. */
                        return -ENOMEM;
                }
+               raw_entry->key = avro_strdup(key);
+               st_insert((st_table *) map->indices_by_key,
+                         (st_data_t) raw_entry->key, (st_data_t) i);
                el = ((char *) raw_entry) + sizeof(avro_raw_map_entry_t);
                is_new = 1;

Review Comment:
   Fixed in 36b71c2b08: the key is now copied via avro_str_alloc() with an 
explicit NULL check (avro_strdup() memcpy()s into its buffer without checking, 
so it crashes on OOM). The entry is indexed only once the copy succeeds; on 
failure the just-appended element is rolled back (element_count--), so the map 
isn't left with a NULL-key entry.



##########
lang/c/tests/test_avro_4293.c:
##########
@@ -0,0 +1,484 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.  See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * A bytes/string value is encoded as a length prefix followed by that many
+ * bytes of data. A malicious or truncated input can declare a huge length with
+ * little or no actual data, which previously caused a correspondingly huge
+ * allocation before the shortfall was noticed. When the reader knows how many
+ * bytes remain (a memory-backed reader), the declared length must be rejected
+ * before allocating for it.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <avro.h>
+
+/* Portable set/unset of the collection-limit environment variable: MSVC has no
+ * setenv/unsetenv, so use _putenv_s (an empty value unsets the variable). */
+#ifdef _WIN32
+static void set_collection_limit(const char *value)
+{
+       _putenv_s("AVRO_MAX_COLLECTION_ITEMS", value);
+}
+static void unset_collection_limit(void)
+{
+       _putenv_s("AVRO_MAX_COLLECTION_ITEMS", "");
+}
+#else
+static void set_collection_limit(const char *value)
+{
+       setenv("AVRO_MAX_COLLECTION_ITEMS", value, 1);
+}
+static void unset_collection_limit(void)
+{
+       unsetenv("AVRO_MAX_COLLECTION_ITEMS");
+}
+#endif
+
+/* Decodes buf against the given schema and returns the avro_value_read rc.
+ * A non-zero rc means the read was rejected. */
+static int try_decode(avro_value_iface_t *iface, const char *buf, size_t 
buf_size)
+{
+       int rc;
+       avro_value_t decoded;
+       avro_reader_t reader;
+
+       rc = avro_generic_value_new(iface, &decoded);
+       if (rc != 0) {
+               fprintf(stderr, "avro_generic_value_new failed: %s\n", 
avro_strerror());
+               return -1;
+       }
+
+       reader = avro_reader_memory(buf, buf_size);
+       if (reader == NULL) {
+               fprintf(stderr, "avro_reader_memory failed\n");
+               avro_value_decref(&decoded);
+               return -1;
+       }
+
+       rc = avro_value_read(reader, &decoded);
+
+       avro_reader_free(reader);
+       avro_value_decref(&decoded);
+       return rc;
+}
+
+static int check_rejects_oversized(const char *schema_literal, const char 
*label)
+{
+       avro_schema_t schema = NULL;
+       avro_value_iface_t *iface = NULL;
+       int rc;
+       int ret = EXIT_FAILURE;
+
+       /*
+        * A length prefix declaring 127 bytes (zig-zag long 254 -> varint
+        * 0xFE 0x01), followed by no data at all. The reader has 0 bytes
+        * remaining after the prefix, so a declared length of 127 must be
+        * rejected before allocating.
+        */
+       const char oversized[] = { (char) 0xFE, (char) 0x01 };
+
+       if (avro_schema_from_json_length(schema_literal, strlen(schema_literal),
+                                        &schema) != 0) {
+               fprintf(stderr, "%s: failed to parse schema: %s\n", label, 
avro_strerror());
+               return EXIT_FAILURE;
+       }
+
+       iface = avro_generic_class_from_schema(schema);
+       if (iface == NULL) {
+               fprintf(stderr, "%s: failed to create iface\n", label);
+               avro_schema_decref(schema);
+               return EXIT_FAILURE;
+       }
+
+       rc = try_decode(iface, oversized, sizeof(oversized));
+       if (rc == 0) {
+               fprintf(stderr, "%s: FAIL - oversized length was accepted\n", 
label);
+       } else if (rc != EINVAL) {
+               /* The availability checks reject with EINVAL before allocating.
+                * A different error (e.g. ENOSPC from failing to read after a
+                * large allocation) would indicate the pre-fix behavior. */
+               fprintf(stderr, "%s: FAIL - rejected with rc=%d (expected 
EINVAL): %s\n",
+                       label, rc, avro_strerror());
+       } else {
+               fprintf(stderr, "%s: oversized length rejected as expected: 
%s\n",
+                       label, avro_strerror());
+               ret = EXIT_SUCCESS;
+       }
+
+       avro_value_iface_decref(iface);
+       avro_schema_decref(schema);
+       return ret;
+}
+
+static int check_accepts_valid(void)
+{
+       avro_schema_t schema = NULL;
+       avro_value_iface_t *iface = NULL;
+       int rc;
+       int ret = EXIT_FAILURE;
+       const char *text = NULL;
+       size_t text_size = 0;
+       avro_value_t decoded;
+       avro_reader_t reader;
+
+       /* A well-formed 3-byte string "abc": length 3 (zig-zag 6 -> 0x06),
+        * then the bytes 'a','b','c'. This must still decode. */
+       const char valid[] = { 0x06, 'a', 'b', 'c' };
+
+       if (avro_schema_from_json_literal("\"string\"", &schema) != 0) {
+               fprintf(stderr, "valid: failed to parse schema: %s\n", 
avro_strerror());
+               return EXIT_FAILURE;
+       }
+       iface = avro_generic_class_from_schema(schema);
+       if (iface == NULL) {
+               fprintf(stderr, "valid: failed to create iface\n");
+               avro_schema_decref(schema);
+               return EXIT_FAILURE;
+       }
+
+       if (avro_generic_value_new(iface, &decoded) != 0) {
+               avro_value_iface_decref(iface);
+               avro_schema_decref(schema);
+               return EXIT_FAILURE;
+       }
+       reader = avro_reader_memory(valid, sizeof(valid));
+       if (reader == NULL) {
+               fprintf(stderr, "valid: avro_reader_memory failed\n");
+               avro_value_decref(&decoded);
+               avro_value_iface_decref(iface);
+               avro_schema_decref(schema);
+               return EXIT_FAILURE;
+       }
+       rc = avro_value_read(reader, &decoded);
+       if (rc == 0 && avro_value_get_string(&decoded, &text, &text_size) == 0 
&&
+           text_size == 4 && strcmp(text, "abc") == 0) {
+               fprintf(stderr, "valid: well-formed string decoded as 
expected\n");
+               ret = EXIT_SUCCESS;
+       } else {
+               fprintf(stderr, "valid: FAIL - well-formed string did not 
decode (rc=%d)\n", rc);
+       }
+
+       avro_reader_free(reader);
+       avro_value_decref(&decoded);
+       avro_value_iface_decref(iface);
+       avro_schema_decref(schema);
+       return ret;
+}
+
+/* An array of nulls: null elements occupy zero bytes, so a large declared
+ * count is legitimate and must not be rejected. */

Review Comment:
   Fixed in 36b71c2b08: reworded — the comment no longer says a large 
null-array count 'must not be rejected' (the zero-byte item cap does bound it); 
it verifies a moderate count is not rejected by the available-bytes check.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to