You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@orc.apache.org by md...@apache.org on 2018/03/07 00:42:38 UTC
orc git commit: ORC-312: [C++] fix buffer overflow in corrupt
StringDictionaryColumn
Repository: orc
Updated Branches:
refs/heads/master 9c105b92a -> 2926f325a
ORC-312: [C++] fix buffer overflow in corrupt StringDictionaryColumn
Fixes #224
Signed-off-by: Deepak Majeti <md...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/orc/repo
Commit: http://git-wip-us.apache.org/repos/asf/orc/commit/2926f325
Tree: http://git-wip-us.apache.org/repos/asf/orc/tree/2926f325
Diff: http://git-wip-us.apache.org/repos/asf/orc/diff/2926f325
Branch: refs/heads/master
Commit: 2926f325afe5947f7a35bea4559c6ec40bc2a3eb
Parents: 9c105b9
Author: stiga-huang <hu...@gmail.com>
Authored: Fri Mar 2 21:54:35 2018 -0800
Committer: Deepak Majeti <md...@apache.org>
Committed: Tue Mar 6 19:41:33 2018 -0500
----------------------------------------------------------------------
c++/src/ColumnReader.cc | 11 +++++++++++
1 file changed, 11 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/orc/blob/2926f325/c++/src/ColumnReader.cc
----------------------------------------------------------------------
diff --git a/c++/src/ColumnReader.cc b/c++/src/ColumnReader.cc
index 5462bec..53997a4 100644
--- a/c++/src/ColumnReader.cc
+++ b/c++/src/ColumnReader.cc
@@ -468,6 +468,9 @@ namespace orc {
if (!stream->Next(&chunk, &length)) {
throw ParseError("bad read in readFully");
}
+ if (posn + length > bufferSize) {
+ throw ParseError("Corrupt dictionary blob in StringDictionaryColumn");
+ }
memcpy(buffer + posn, chunk, static_cast<size_t>(length));
posn += length;
}
@@ -514,6 +517,8 @@ namespace orc {
lengthDecoder->next(lengthArray + 1, dictionaryCount, nullptr);
lengthArray[0] = 0;
for(uint64_t i=1; i < dictionaryCount + 1; ++i) {
+ if (lengthArray[i] < 0)
+ throw ParseError("Negative dictionary entry length");
lengthArray[i] += lengthArray[i-1];
}
int64_t blobSize = lengthArray[dictionaryCount];
@@ -549,6 +554,9 @@ namespace orc {
for(uint64_t i=0; i < numValues; ++i) {
if (notNull[i]) {
int64_t entry = outputLengths[i];
+ if (entry < 0 || static_cast<uint64_t>(entry) >= dictionaryCount) {
+ throw ParseError("Entry index out of range in StringDictionaryColumn");
+ }
outputStarts[i] = blob + dictionaryOffsets[entry];
outputLengths[i] = dictionaryOffsets[entry+1] -
dictionaryOffsets[entry];
@@ -557,6 +565,9 @@ namespace orc {
} else {
for(uint64_t i=0; i < numValues; ++i) {
int64_t entry = outputLengths[i];
+ if (entry < 0 || static_cast<uint64_t>(entry) >= dictionaryCount) {
+ throw ParseError("Entry index out of range in StringDictionaryColumn");
+ }
outputStarts[i] = blob + dictionaryOffsets[entry];
outputLengths[i] = dictionaryOffsets[entry+1] -
dictionaryOffsets[entry];