From 9233d64356c782141b8d2c1abd70371d7ad6e0d1 Mon Sep 17 00:00:00 2001 From: Oscar Westra van Holthe - Kind Date: Sun, 7 Jul 2024 20:41:12 +0200 Subject: [PATCH] AVRO-3635: Disallow skipping a negative amount of bytes (#2997) This is what all other implementations of this method do, and fixes infinite loops due to malicious data. --- .../main/java/org/apache/avro/io/BinaryDecoder.java | 13 ++++++++----- .../java/org/apache/avro/io/TestBinaryDecoder.java | 1 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java b/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java index 95030c4a60a..7217be3addd 100644 --- a/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java +++ b/lang/java/avro/src/main/java/org/apache/avro/io/BinaryDecoder.java @@ -17,17 +17,17 @@ */ package org.apache.avro.io; +import org.apache.avro.AvroRuntimeException; +import org.apache.avro.InvalidNumberEncodingException; +import org.apache.avro.SystemLimitException; +import org.apache.avro.util.Utf8; + import java.io.EOFException; import java.io.IOException; import java.io.InputStream; import java.nio.ByteBuffer; import java.util.Arrays; -import org.apache.avro.AvroRuntimeException; -import org.apache.avro.InvalidNumberEncodingException; -import org.apache.avro.SystemLimitException; -import org.apache.avro.util.Utf8; - /** * An {@link Decoder} for binary-format data. *

@@ -338,6 +338,9 @@ public int readEnum() throws IOException { } protected void doSkipBytes(long length) throws IOException { + if (length <= 0) { + return; + } int remaining = limit - pos; if (length <= remaining) { pos = (int) (pos + length); diff --git a/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java b/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java index 80533585722..b9437bd8a0e 100644 --- a/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java +++ b/lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java @@ -661,6 +661,7 @@ private void skipGenerated(Decoder bd) throws IOException { // booleans are one byte, array trailer is one byte bd.skipFixed((int) leftover + 1); bd.skipFixed(0); + bd.skipFixed(-8); // Should be a no-op; see AVRO-3635 bd.readLong(); } EOFException eof = null;