Copilot commented on code in PR #3853:
URL: https://github.com/apache/avro/pull/3853#discussion_r3568129129
##########
lang/c/src/codec.c:
##########
@@ -141,12 +188,29 @@ static int decode_snappy(avro_codec_t c, void * data,
int64_t len)
{
uint32_t crc;
size_t outlen;
+ int64_t max_len = avro_max_decompress_length();
+
+ /* The block carries a trailing 4-byte CRC; a length below that is
+ * malformed and would underflow len - 4. */
+ if (len < 4) {
+ avro_set_error("Snappy block too small (%lld bytes), expected
at least 4",
+ (long long) len);
Review Comment:
decode_snappy validates len >= 4, but still passes `len-4` (int64_t) to
Snappy APIs that take `size_t`, and also uses `len-4` in pointer arithmetic
later. On 32-bit (or any platform where `len-4` can exceed `SIZE_MAX`), this
will truncate during implicit conversion and can lead to out-of-bounds
reads/crashes. Add an explicit range check that `len-4` fits in `size_t`, and
use a single `size_t inlen = (size_t)(len-4)` for all Snappy calls and CRC
offset computations.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]