stiga-huang commented on PR #2818: URL: https://github.com/apache/thrift/pull/2818#issuecomment-1595436982
Thanks for the quick review! IIUC, `TMemoryBuffer` can be used to serialize any thrift object and the thrift object can exceed 4GB in the total size. E.g. in Impala, we have such a thrift object that contains `map<string, string>` and `list<string>`. The total length could be arbitrarily long: https://github.com/apache/impala/blob/06eb62d3efa1c94810c4276f90896fa62205a49b/common/thrift/RuntimeProfile.thrift#L239-L242 We need to correctly reject such serialization, i.e. throw `TTransportException` about "Internal buffer size overflow". Currently, due to the overflow of `uint32_t`, `TMemoryBuffer::ensureCanWrite()` thought the write is legal and proceed without actually expanding the buffer (since `new_size` is smaller than the current size). It then writes to invalid memory and leads to a crash. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
