Re: [PR] MINOR: improve byte[] array size bounds check [kafka]

Tue, 09 Jun 2026 09:45:12 -0700 


lucasbru commented on code in PR #22514:
URL: https://github.com/apache/kafka/pull/22514#discussion_r3380763743


##########
clients/src/main/java/org/apache/kafka/common/serialization/ListDeserializer.java:
##########
@@ -153,8 +153,8 @@ private List<Integer> deserializeNullIndexList(final 
DataInputStream dis, final
         if (nullIndexListSize < 0) {
             throw new SerializationException("Corrupted byte[]. The number of 
null list entries cannot be negative.");
         }
-        if (nullIndexListSize > length) {
-            throw new SerializationException("Corrupted byte[]. The number of 
null list entries cannot be larger than overall number of bytes.");
+        if (nullIndexListSize > length / primitiveSize) {

Review Comment:
   I think `primitiveSize` is the wrong divisor here. The null-index list holds 
indices, each written as a 4-byte `readInt()`.



##########
streams/src/main/java/org/apache/kafka/streams/processor/internals/assignment/AssignmentInfo.java:
##########
@@ -389,7 +389,7 @@ private static void decodeActiveTasks(final AssignmentInfo 
assignmentInfo,
                                           final DataInputStream in,
                                           final int length) throws IOException 
{
         final int count = in.readInt();
-        if (count < 0 || count > length) {
+        if (count < 0 || count > length / (2 * Integer.BYTES)) { // task-id is 
<subtopologyId[INTEGER]><partition[INTEGER]>

Review Comment:
   `decodePartitionsByHost`, the non-dictionary `readTopicPartitions`, and 
`decodeTopicIndexAndGet` are still left at the loose `> length`. Not wrong, 
just inconsistent if the intent is to bound allocation everywhere.



##########
clients/src/test/java/org/apache/kafka/common/serialization/ListDeserializerTest.java:
##########
@@ -380,14 +380,14 @@ public void shouldThrowOnTooLargeNullEntryLength() {
             (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0xFF // encodes 
number of null entries == 255
         };
 
-        final ListDeserializer<String> testDeserializer = new 
ListDeserializer<>(ArrayList.class, new StringDeserializer());
+        final ListDeserializer<Integer> testDeserializer = new 
ListDeserializer<>(ArrayList.class, new IntegerDeserializer());

Review Comment:
   Did you switch here to integer to make the regression above pass?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to