You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by "bismillah (Jira)" <ji...@apache.org> on 2022/10/09 06:27:00 UTC

[jira] [Created] (AVRO-3635) BinaryDecoder trapped into infinite loop while decode crafted data

bismillah created AVRO-3635:
-------------------------------

             Summary: BinaryDecoder trapped into infinite loop while decode crafted data
                 Key: AVRO-3635
                 URL: https://issues.apache.org/jira/browse/AVRO-3635
             Project: Apache Avro
          Issue Type: Bug
          Components: java
    Affects Versions: 1.11.0
            Reporter: bismillah


stackrace:

 
{code:java}
"DataComputingThread5" #58 prio=5 os_prio=0 tid=0x0000ffff8ab4b000 nid=0x13907 runnable [0x0000ffff3ce11000]
   java.lang.Thread.State: RUNNABLE
    at org.apache.avro.io.BinaryDecoder.doSkipItems(BinaryDecoder.java:454)
    at org.apache.avro.io.BinaryDecoder.skipArray(BinaryDecoder.java:473)
    at org.apache.avro.generic.GenericDatumReader.skip(GenericDatumReader.java:576)
    at org.apache.avro.io.FastReaderBuilder.lambda$initializeRecordReader$0(FastReaderBuilder.java:159)
    at org.apache.avro.io.FastReaderBuilder$$Lambda$652/470404086.execute(Unknown Source)
    at org.apache.avro.io.FastReaderBuilder$RecordReader.read(FastReaderBuilder.java:576)
    at org.apache.avro.io.FastReaderBuilder.lambda$createUnionReader$30(FastReaderBuilder.java:413)
    at org.apache.avro.io.FastReaderBuilder$$Lambda$679/1790128078.read(Unknown Source)
    at org.apache.avro.io.FastReaderBuilder.lambda$createFieldSetter$1(FastReaderBuilder.java:182)
... {code}
 

specific code:
{code:java}
private long doSkipItems() throws IOException {
    long result;
    for(result = this.readLong(); result < 0L; result = this.readLong()) {
        long bytecount = this.readLong();
        this.doSkipBytes(bytecount);
    }

    return result;
}

protected void doSkipBytes(long length) throws IOException {
    int remaining = this.limit - this.pos;
    if (length <= (long)remaining) {
        this.pos = (int)((long)this.pos + length);
    } else {
        this.limit = this.pos = 0;
        length -= (long)remaining;
        this.source.skipSourceBytes(length);
    }

} {code}
if the bytecount is negative, during doSkipBytes, the pos is moved forward. As a result, the previous data is parsed repeatedly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)