Copilot commented on code in PR #3858:
URL: https://github.com/apache/avro/pull/3858#discussion_r3567561176
##########
lang/c/src/encoding_binary.c:
##########
@@ -125,13 +126,33 @@ static int64_t size_int(avro_writer_t writer, const
int32_t i)
static int read_bytes(avro_reader_t reader, char **bytes, int64_t * len)
{
int rval;
+ int64_t available;
check_prefix(rval, read_long(reader, len),
"Cannot read bytes length: ");
if (*len < 0) {
avro_set_error("Invalid bytes length: %" PRId64, *len);
return EINVAL;
}
- *bytes = (char *) avro_malloc(*len + 1);
+ /* Reject a declared length that exceeds the data actually available
+ * before allocating for it, to guard against an out-of-memory attack
+ * from a malicious or truncated input. Only enforced when the reader
+ * can report the amount remaining. */
+ available = avro_reader_bytes_available(reader);
+ if (available >= 0 && *len > available) {
+ avro_set_error("Bytes length %" PRId64
+ " exceeds %" PRId64 " bytes available",
+ *len, available);
+ return EINVAL;
+ }
+ /* Bound the length so the +1 (NUL terminator) cannot overflow the
+ * size_t allocation size, which could otherwise undersize the buffer
+ * and lead to an out-of-bounds read/write. */
+ if ((uint64_t) *len > (uint64_t) (SIZE_MAX - 1)) {
+ avro_set_error("Bytes length %" PRId64
+ " exceeds the maximum allocatable size", *len);
+ return EINVAL;
+ }
Review Comment:
read_bytes() bounds the allocation with SIZE_MAX-1 but still allows
len==INT64_MAX on 64-bit platforms. That value overflows later in value-read.c
when the AVRO_BYTES case computes len+1 to record the allocated size, which is
undefined behavior and can corrupt the wrapped buffer size metadata (especially
on overcommitting allocators that return non-NULL for huge sizes). Add an
INT64_MAX-1 bound here (mirroring read_string) so callers never see a length
that would overflow when adding the NUL terminator.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]