Daniel Becker created IMPALA-13150:
--------------------------------------
Summary: Possible buffer overflow in StringVal
Key: IMPALA-13150
URL: https://issues.apache.org/jira/browse/IMPALA-13150
Project: IMPALA
Issue Type: Bug
Components: Backend
Reporter: Daniel Becker
Assignee: Daniel Becker
In {{{}StringVal::CopyFrom(){}}}, we take the 'len' parameter as a
{{{}size_t{}}}, which is usually a 64-bit unsigned integer. We pass it to the
constructor of {{{}StringVal{}}}, which takes it as an {{{}int{}}}, which is
usually a 32-bit signed integer. The constructor then allocates memory for the
length using the {{int}} value, but back in {{{}CopyFrom(){}}}, we copy the
buffer with the {{size_t}} length. If {{size_t}} is indeed 64 bits and {{int}}
is 32 bits, and the value is truncated, we may copy more bytes that what we
have allocated the destination for. See
https://github.com/apache/impala/blob/ce8078204e5995277f79e226e26fe8b9eaca408b/be/src/udf/udf.cc#L546
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
