iemejia commented on code in PR #3860:
URL: https://github.com/apache/avro/pull/3860#discussion_r3566941832


##########
lang/csharp/src/apache/main/IO/BinaryDecoder.netstandard2.0.cs:
##########
@@ -85,6 +85,8 @@ public string ReadString()
                 throw new AvroException("Can not deserialize a string with 
negative length!");
             }
 
+            EnsureAvailableBytes(length);
+
             if (length > MaxDotNetArrayLength)
             {
                 throw new AvroException("String length is not supported!");

Review Comment:
   Fixed in d308962430: ReadString() now reads the length as a long, applies 
the remaining-bytes guard and the max-array-length check, then casts to int. A 
length above int.MaxValue no longer overflows ReadInt() to a negative int and 
throws a misleading 'negative length'.



##########
lang/csharp/src/apache/main/IO/BinaryDecoder.notnetstandard2.0.cs:
##########
@@ -73,6 +73,8 @@ public string ReadString()
                 throw new AvroException("Can not deserialize a string with 
negative length!");
             }
 
+            EnsureAvailableBytes(length);

Review Comment:
   Fixed in d308962430: same change to the non-netstandard2.0 decoder (read 
length as long, validate, then cast to int). Added a regression test via a 
non-seekable stream so the length check is reached.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to