iemejia commented on code in PR #3858:
URL: https://github.com/apache/avro/pull/3858#discussion_r3567577526


##########
lang/c/src/encoding_binary.c:
##########
@@ -125,13 +126,33 @@ static int64_t size_int(avro_writer_t writer, const 
int32_t i)
 static int read_bytes(avro_reader_t reader, char **bytes, int64_t * len)
 {
        int rval;
+       int64_t available;
        check_prefix(rval, read_long(reader, len),
                     "Cannot read bytes length: ");
        if (*len < 0) {
                avro_set_error("Invalid bytes length: %" PRId64, *len);
                return EINVAL;
        }
-       *bytes = (char *) avro_malloc(*len + 1);
+       /* Reject a declared length that exceeds the data actually available
+        * before allocating for it, to guard against an out-of-memory attack
+        * from a malicious or truncated input. Only enforced when the reader
+        * can report the amount remaining. */
+       available = avro_reader_bytes_available(reader);
+       if (available >= 0 && *len > available) {
+               avro_set_error("Bytes length %" PRId64
+                              " exceeds %" PRId64 " bytes available",
+                              *len, available);
+               return EINVAL;
+       }
+       /* Bound the length so the +1 (NUL terminator) cannot overflow the
+        * size_t allocation size, which could otherwise undersize the buffer
+        * and lead to an out-of-bounds read/write. */
+       if ((uint64_t) *len > (uint64_t) (SIZE_MAX - 1)) {
+               avro_set_error("Bytes length %" PRId64
+                              " exceeds the maximum allocatable size", *len);
+               return EINVAL;
+       }

Review Comment:
   Fixed — read_bytes now also rejects len > INT64_MAX - 1 (matching 
read_string), so the AVRO_BYTES caller's len + 1 in value-read.c can't overflow 
on 64-bit platforms where SIZE_MAX > INT64_MAX.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to