iemejia commented on code in PR #3853:
URL: https://github.com/apache/avro/pull/3853#discussion_r3567524975


##########
lang/c/src/codec.c:
##########
@@ -304,11 +365,26 @@ static int encode_deflate(avro_codec_t c, void * data, 
int64_t len)
 static int decode_deflate(avro_codec_t c, void * data, int64_t len)
 {
        int err;
+       int64_t max_len = avro_max_decompress_length();
        z_stream *s = codec_data_inflate_stream(c->codec_data);
 
+       /* zlib's avail_out is a uInt; keep the working cap within its range so
+        * the buffer-growth arithmetic below cannot truncate when updating
+        * avail_out, which would leave zlib's state inconsistent. */
+       if (max_len > (int64_t) UINT_MAX) {
+               max_len = (int64_t) UINT_MAX;
+       }
+
        if (!c->block_data) {
-               c->block_data = avro_malloc(DEFAULT_BLOCK_SIZE);
-               c->block_size = DEFAULT_BLOCK_SIZE;
+               /* Do not allocate more than the configured decompression cap: 
if
+                * max_len is smaller than DEFAULT_BLOCK_SIZE, start at 
max_len. */
+               size_t init_size = ((int64_t) DEFAULT_BLOCK_SIZE > max_len)
+                   ? (size_t) max_len : (size_t) DEFAULT_BLOCK_SIZE;
+               if (init_size == 0) {
+                       init_size = 1;
+               }
+               c->block_data = avro_malloc(init_size);
+               c->block_size = init_size;
        }
 
        if (!c->block_data)

Review Comment:
   Fixed — decode_deflate now rejects a compressed `len` that is negative or > 
UINT_MAX before assigning zlib's `avail_in` (uInt), and casts explicitly, so a 
large length can't truncate.



##########
lang/c/src/codec.c:
##########
@@ -43,9 +44,52 @@
 #include "avro/errors.h"
 #include "avro/allocation.h"
 #include "codec.h"
+#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
 
 #define DEFAULT_BLOCK_SIZE     (16 * 1024)
 
+/*
+ * When reading a data file, each block is decompressed according to the file's
+ * codec. A block with a very high compression ratio (or a malformed block) can
+ * expand to far more memory than its compressed size. To guard against
+ * unbounded allocation, the decompressed size of a single block is capped. 
This
+ * mirrors the Java SDK's decompression limit (AVRO-4247). The default can be
+ * overridden with the AVRO_MAX_DECOMPRESS_LENGTH environment variable.
+ */
+#define AVRO_DEFAULT_MAX_DECOMPRESS_LENGTH     ((int64_t) 200 * 1024 * 1024)  
/* 200 MiB */
+
+static int64_t
+avro_max_decompress_length(void)
+{
+       const char *env = getenv("AVRO_MAX_DECOMPRESS_LENGTH");
+       if (env != NULL && *env != '\0') {
+               char *end = NULL;
+               errno = 0;
+               long long value = strtoll(env, &end, 10);
+               if (errno == 0 && end != NULL && *end == '\0' && value > 0) {
+                       /* Clamp to INT64_MAX before narrowing to int64_t: long
+                        * long may be wider than 64-bit, so a large (but valid)
+                        * value could otherwise overflow/wrap in the cast. */
+                       if (value > (long long) INT64_MAX) {
+                               value = (long long) INT64_MAX;
+                       }
+                       int64_t v = (int64_t) value;
+                       /* Clamp to what size_t can address so the value is 
always
+                        * safe to use as an allocation cap. On 32-bit platforms
+                        * size_t is narrower than int64_t, and an unclamped 
value
+                        * would truncate when passed to 
avro_malloc/avro_realloc. */
+                       if ((uint64_t) v > (uint64_t) SIZE_MAX) {
+                               return (int64_t) SIZE_MAX;
+                       }
+                       return v;
+               }
+       }
+       return AVRO_DEFAULT_MAX_DECOMPRESS_LENGTH;

Review Comment:
   This was fixed in commit 0db06f8a17 — a positive strtoll overflow 
(errno==ERANGE, LLONG_MAX) now clamps to the max usable cap (min of INT64_MAX 
and SIZE_MAX) instead of falling back to the 200 MiB default.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to