Copilot commented on code in PR #3853:
URL: https://github.com/apache/avro/pull/3853#discussion_r3568129129


##########
lang/c/src/codec.c:
##########
@@ -141,12 +188,29 @@ static int decode_snappy(avro_codec_t c, void * data, 
int64_t len)
 {
         uint32_t crc;
         size_t outlen;
+        int64_t max_len = avro_max_decompress_length();
+
+        /* The block carries a trailing 4-byte CRC; a length below that is
+         * malformed and would underflow len - 4. */
+        if (len < 4) {
+                avro_set_error("Snappy block too small (%lld bytes), expected 
at least 4",
+                               (long long) len);

Review Comment:
   decode_snappy validates len >= 4, but still passes `len-4` (int64_t) to 
Snappy APIs that take `size_t`, and also uses `len-4` in pointer arithmetic 
later. On 32-bit (or any platform where `len-4` can exceed `SIZE_MAX`), this 
will truncate during implicit conversion and can lead to out-of-bounds 
reads/crashes. Add an explicit range check that `len-4` fits in `size_t`, and 
use a single `size_t inlen = (size_t)(len-4)` for all Snappy calls and CRC 
offset computations.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to