jacktengg opened a new pull request, #63702:
URL: https://github.com/apache/doris/pull/63702
Problem Summary:
`BitmapValue::deserialize(const char* src)` lacked a buffer length and
called upstream `Roaring64Map::read(src)` whose documentation explicitly warns
it is unsafe: "if you provide bad data, many bytes could be read, possibly
causing a buffer overflow". The function trusts an inline `map_size` varint
(unbounded) and the per-bucket `roaring::Roaring::read` (also unsafe, no
`maxbytes`). A crafted/corrupt BITMAP payload, e.g. one fed through
`bitmap_from_base64('BP////8P')` (BITMAP64 + varint UINT32_MAX), would loop
deep past the end of the input buffer.
The pre-existing `try/catch(std::runtime_error)` only catches roaring's own
exceptions; a silent over-read does not necessarily throw and ASAN flags it as
heap-buffer-overflow.
Fix:
- Add `Roaring64Map::readSafe(buf, maxbytes)` built on the CRoaring
`roaring_bitmap_*deserialize_safe` primitives, with an explicit upper bound on
the outer `map_size` varint for BITMAP64.
- Add a bounded `BitmapValue::deserialize(const char* src, size_t maxbytes)`
that validates every per-branch size (SINGLE32/SINGLE64, BITMAP32/64, v2
portable, SET, SET_V2) before reading and catches both `std::runtime_error` and
`doris::Exception`.
- Replace the unsafe `BitmapValue(const char*)` constructor with
`BitmapValue(const char*, size_t maxbytes)` that throws on failure.
- Migrate all untrusted callers (`data_type_bitmap_serde.cpp`,
`function_bitmap.cpp` / `bitmap_from_base64`, `data_type_bitmap.cpp`,
`column_complex.h`) to pass the actual buffer length.
- Harden `BitmapIntersect<T>::deserialize` similarly: `Helper::read_from`
now bounds-checks every read (POD, datetime, decimal, string), and
`BitmapIntersect::deserialize` and its constructor take an explicit `maxbytes`.
Update the single caller in `aggregate_function_orthogonal_bitmap.h`.
- Drop the unused `BitmapExprCalculation(const char*)` constructor.
### What problem does this PR solve?
Issue Number: close #xxx
Related PR: #xxx
Problem Summary:
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [ ] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [ ] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR should
merge into -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
