This is an automated email from the ASF dual-hosted git repository.
mgrigorov pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/avro.git
The following commit(s) were added to refs/heads/main by this push:
new f42ac2fe28 [C] Fix negative length validation in binary decoding
(#3622)
f42ac2fe28 is described below
commit f42ac2fe28e0832267d58416000886a2de72b09f
Author: Ze Sheng <[email protected]>
AuthorDate: Mon Jan 19 00:22:23 2026 -0600
[C] Fix negative length validation in binary decoding (#3622)
* [C] Fix negative length validation in read_bytes and read_string
The read_bytes() and read_string() functions in encoding_binary.c
decode length values using zigzag encoding, which can produce negative
numbers from malicious input. These negative values were passed directly
to avro_malloc(), causing allocation failures or undefined behavior.
This patch adds validation to reject negative length values with a
clear error message before attempting memory allocation.
Bug: Negative length values from varint decoding cause
allocation-size-too-big when cast to size_t
Impact: DoS via crafted binary input
Co-Authored-By: Claude <[email protected]>
* Update lang/c/src/encoding_binary.c
Co-authored-by: Martin Grigorov <[email protected]>
* Fix indentation in skip_bytes validation
---------
Co-authored-by: Claude <[email protected]>
Co-authored-by: Martin Grigorov <[email protected]>
---
lang/c/src/encoding_binary.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lang/c/src/encoding_binary.c b/lang/c/src/encoding_binary.c
index 1fc5f0c9a7..96dacea583 100644
--- a/lang/c/src/encoding_binary.c
+++ b/lang/c/src/encoding_binary.c
@@ -127,6 +127,10 @@ static int read_bytes(avro_reader_t reader, char **bytes,
int64_t * len)
int rval;
check_prefix(rval, read_long(reader, len),
"Cannot read bytes length: ");
+ if (*len < 0) {
+ avro_set_error("Invalid bytes length: %" PRId64, *len);
+ return EINVAL;
+ }
*bytes = (char *) avro_malloc(*len + 1);
if (!*bytes) {
avro_set_error("Cannot allocate buffer for bytes value");
@@ -143,6 +147,10 @@ static int skip_bytes(avro_reader_t reader)
int rval;
check_prefix(rval, read_long(reader, &len),
"Cannot read bytes length: ");
+ if (len < 0) {
+ avro_set_error("Invalid bytes length: %" PRId64, len);
+ return EINVAL;
+ }
AVRO_SKIP(reader, len);
return 0;
}
@@ -175,6 +183,10 @@ static int read_string(avro_reader_t reader, char **s,
int64_t *len)
int rval;
check_prefix(rval, read_long(reader, &str_len),
"Cannot read string length: ");
+ if (str_len < 0) {
+ avro_set_error("Invalid string length: %" PRId64, str_len);
+ return EINVAL;
+ }
*len = str_len + 1;
*s = (char *) avro_malloc(*len);
if (!*s) {
