github-actions[bot] commented on code in PR #63662:
URL: https://github.com/apache/doris/pull/63662#discussion_r3302010277
##########
be/src/core/value/quantile_state.cpp:
##########
@@ -93,6 +93,10 @@ bool QuantileState::is_valid(const Slice& slice) {
}
uint16_t num_explicits = decode_fixed16_le(ptr);
ptr += sizeof(uint16_t);
+ const size_t remaining_size = static_cast<size_t>(end - ptr);
Review Comment:
This validation still accepts a malformed EXPLICIT state with `num_explicits
== 0`. That payload is not produced by normal `QuantileState` construction, but
`quantile_state_from_base64()` can supply it directly: `is_valid()` returns
true when the remaining size is zero, then `deserialize()` does
`_explicit_data.resize(0)` and evaluates `&_explicit_data[0]` in the subsequent
`memcpy`, which is undefined for an empty vector even with a zero byte count.
Since this PR is hardening untrusted serialized input in
`QuantileState::is_valid()`, please reject zero explicit counts here (or the
minimum valid explicit count, if that invariant should be `>= 2`) before
accepting the payload.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
