[C] Fix negative block size validation in datafile reader #3623
+4
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The file_read_block_count() function in datafile.c reads block size
using zigzag encoding, which can produce negative numbers from
malicious Avro container files. These negative values were passed
directly to avro_malloc(), causing allocation failures.
This patch adds validation to reject negative block size values with
a clear error message before attempting memory allocation.
Bug: Negative block size from varint decoding causes
allocation-size-too-big when cast to size_t
Impact: DoS via crafted .avro file
Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fix missing validation for negative block size values in
file_read_block_count()function indatafile.c.Problem
The block size is read using zigzag encoding which can decode to negative numbers from malicious Avro container files. These negative values were passed directly to
avro_malloc(), causing:int64_tis cast tosize_t.avrofilesChanges
len < 0check infile_read_block_count()before allocationEINVALwith descriptive error message on invalid inputTesting
Verified with AddressSanitizer fuzzing - crash no longer reproduces.
Generated with Claude Code