OxBat opened a new pull request, #584: URL: https://github.com/apache/logging-log4cxx/pull/584
### Summary I identified a critical integer truncation vulnerability in `PatternLayout::format`. The code explicitly casts the 64-bit buffer length (`size_t`) to a signed 32-bit integer (`int`). On 64-bit systems, if a log message exceeds 2GB (e.g., large JSON dumps or accumulated stack traces), the length wraps around to a negative number. This negative index is then passed to downstream formatters, leading to out-of-bounds memory access (heap corruption) or segmentation faults. ### Technical Analysis In `src/main/cpp/patternlayout.cpp` (around line 130): ```cpp // Vulnerable Code: int startField = (int)output.length(); ``` When `output.length()` > `INT_MAX`, `startField` becomes negative. This startField is subsequently used for pointer arithmetic or string indexing in `FormattingInfo`, causing the crash. **Remediation** This patch removes the unsafe cast and updates the variable type to size_t to correctly handle the return type of `std::string::length()`. **Steps to Reproduce (Logic)** 1. Configure a `PatternLayout` with `%m`. 2. Log a message string larger than 2GB on a 64-bit build. 3. The cast to `int` truncates the size, resulting in a negative offset. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
