You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Dvir Volk (JIRA)" <ji...@apache.org> on 2015/06/02 10:04:47 UTC
[jira] [Comment Edited] (THRIFT-3175) fastbinary.c python
deserialize can cause huge allocations from garbage
[ https://issues.apache.org/jira/browse/THRIFT-3175?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568733#comment-14568733 ]
Dvir Volk edited comment on THRIFT-3175 at 6/2/15 8:01 AM:
-----------------------------------------------------------
This is the PR.
https://github.com/apache/thrift/pull/511
The FastBinaryProtocol doesn't have any tests at all BTW, so I had nowhere to add a test for it to.
was (Author: dvirsky):
This is the PR.
https://issues.apache.org/jira/browse/THRIFT-3175
The FastBinaryProtocol doesn't have any tests at all BTW, so I had nowhere to add a test for it to.
> fastbinary.c python deserialize can cause huge allocations from garbage
> -----------------------------------------------------------------------
>
> Key: THRIFT-3175
> URL: https://issues.apache.org/jira/browse/THRIFT-3175
> Project: Thrift
> Issue Type: Bug
> Components: Python - Library
> Reporter: Dvir Volk
>
> In the fastbinary python deserializer, allocating a list is done like so:
> {code}
> len = readI32(input);
> if (!check_ssize_t_32(len)) {
> return NULL;
> }
> ret = PyList_New(len);
> {code}
> The only validation of len is that it's under INT_MAX. I've encountered a situation where upon receiving garbage input, and having len be read as something like 1 billion, the library treated this as a valid input, allocated gigs of RAM, and caused a server to crash.
> The quick fix I made was to limit list sizes to a sane value of a few thousands that more than suits my personal needs.
> But IMO this should be dealt with properly. One way that comes to mind is not pre-allocating the entire list in advance in case it's really big, and resizing it in smaller steps while reading the input.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)