Skip to content

Commit

Permalink
AVRO-3635: Disallow skipping a negative amount of bytes (#2997)
Browse files Browse the repository at this point in the history
This is what all other implementations of this method do, and fixes
infinite loops due to malicious data.
  • Loading branch information
opwvhk authored Jul 7, 2024
1 parent e921462 commit 9233d64
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,17 @@
*/
package org.apache.avro.io;

import org.apache.avro.AvroRuntimeException;
import org.apache.avro.InvalidNumberEncodingException;
import org.apache.avro.SystemLimitException;
import org.apache.avro.util.Utf8;

import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.util.Arrays;

import org.apache.avro.AvroRuntimeException;
import org.apache.avro.InvalidNumberEncodingException;
import org.apache.avro.SystemLimitException;
import org.apache.avro.util.Utf8;

/**
* An {@link Decoder} for binary-format data.
* <p/>
Expand Down Expand Up @@ -338,6 +338,9 @@ public int readEnum() throws IOException {
}

protected void doSkipBytes(long length) throws IOException {
if (length <= 0) {
return;
}
int remaining = limit - pos;
if (length <= remaining) {
pos = (int) (pos + length);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -661,6 +661,7 @@ private void skipGenerated(Decoder bd) throws IOException {
// booleans are one byte, array trailer is one byte
bd.skipFixed((int) leftover + 1);
bd.skipFixed(0);
bd.skipFixed(-8); // Should be a no-op; see AVRO-3635
bd.readLong();
}
EOFException eof = null;
Expand Down

0 comments on commit 9233d64

Please sign in to comment.