You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@avro.apache.org by "Christophe Le Saec (Jira)" <ji...@apache.org> on 2023/01/11 16:17:00 UTC

[jira] [Commented] (AVRO-3635) [Java] BinaryDecoder trapped into infinite loop while decode crafted data

    [ https://issues.apache.org/jira/browse/AVRO-3635?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17675639#comment-17675639 ] 

Christophe Le Saec commented on AVRO-3635:
------------------------------------------

Have you any code snippet or even better a unit test that generate this issue ?

> [Java] BinaryDecoder trapped into infinite loop while decode crafted data
> -------------------------------------------------------------------------
>
>                 Key: AVRO-3635
>                 URL: https://issues.apache.org/jira/browse/AVRO-3635
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.11.0
>            Reporter: bismillah
>            Priority: Major
>             Fix For: 1.12.0
>
>
> stackrace:
>  
> {code:java}
> "DataComputingThread5" #58 prio=5 os_prio=0 tid=0x0000ffff8ab4b000 nid=0x13907 runnable [0x0000ffff3ce11000]
>    java.lang.Thread.State: RUNNABLE
>     at org.apache.avro.io.BinaryDecoder.doSkipItems(BinaryDecoder.java:454)
>     at org.apache.avro.io.BinaryDecoder.skipArray(BinaryDecoder.java:473)
>     at org.apache.avro.generic.GenericDatumReader.skip(GenericDatumReader.java:576)
>     at org.apache.avro.io.FastReaderBuilder.lambda$initializeRecordReader$0(FastReaderBuilder.java:159)
>     at org.apache.avro.io.FastReaderBuilder$$Lambda$652/470404086.execute(Unknown Source)
>     at org.apache.avro.io.FastReaderBuilder$RecordReader.read(FastReaderBuilder.java:576)
>     at org.apache.avro.io.FastReaderBuilder.lambda$createUnionReader$30(FastReaderBuilder.java:413)
>     at org.apache.avro.io.FastReaderBuilder$$Lambda$679/1790128078.read(Unknown Source)
>     at org.apache.avro.io.FastReaderBuilder.lambda$createFieldSetter$1(FastReaderBuilder.java:182)
> ... {code}
>  
> specific code:
> {code:java}
> private long doSkipItems() throws IOException {
>     long result;
>     for(result = this.readLong(); result < 0L; result = this.readLong()) {
>         long bytecount = this.readLong();
>         this.doSkipBytes(bytecount);
>     }
>     return result;
> }
> protected void doSkipBytes(long length) throws IOException {
>     int remaining = this.limit - this.pos;
>     if (length <= (long)remaining) {
>         this.pos = (int)((long)this.pos + length);
>     } else {
>         this.limit = this.pos = 0;
>         length -= (long)remaining;
>         this.source.skipSourceBytes(length);
>     }
> } {code}
> if the bytecount is negative, during doSkipBytes, the pos is moved forward. As a result, the previous data is parsed repeatedly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)