[thrift] branch master updated: THRIFT-5716: Fix uint32_t overflow in TMemoryBuffer

Wed, 21 Jun 2023 13:28:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

jensg pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/thrift.git


The following commit(s) were added to refs/heads/master by this push:
     new d665e284d THRIFT-5716: Fix uint32_t overflow in TMemoryBuffer
d665e284d is described below

commit d665e284df49e2032c151f55646e8ae531e9f3ce
Author: stiga-huang <huangquanl...@gmail.com>
AuthorDate: Fri Jun 16 22:53:43 2023 +0800

    THRIFT-5716: Fix uint32_t overflow in TMemoryBuffer
---
 lib/cpp/src/thrift/transport/TBufferTransports.cpp | 6 +++---
 lib/cpp/test/TMemoryBufferTest.cpp                 | 8 ++++++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/cpp/src/thrift/transport/TBufferTransports.cpp 
b/lib/cpp/src/thrift/transport/TBufferTransports.cpp
index efca5bd01..f7cf8f039 100644
--- a/lib/cpp/src/thrift/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/thrift/transport/TBufferTransports.cpp
@@ -363,9 +363,9 @@ void TMemoryBuffer::ensureCanWrite(uint32_t len) {
     throw TTransportException("Insufficient space in external MemoryBuffer");
   }
 
-  // Grow the buffer as necessary.
-  const uint32_t current_used = bufferSize_ - avail;
-  const uint32_t required_buffer_size = len + current_used;
+  // Grow the buffer as necessary. Use uint64_t to avoid overflow.
+  const uint64_t current_used = bufferSize_ - avail;
+  const uint64_t required_buffer_size = len + current_used;
   if (required_buffer_size > maxBufferSize_) {
     throw TTransportException(TTransportException::BAD_ARGS,
                               "Internal buffer size overflow when requesting a 
buffer of size " + std::to_string(required_buffer_size));
diff --git a/lib/cpp/test/TMemoryBufferTest.cpp 
b/lib/cpp/test/TMemoryBufferTest.cpp
index 0ae4dc9ad..2f1aea694 100644
--- a/lib/cpp/test/TMemoryBufferTest.cpp
+++ b/lib/cpp/test/TMemoryBufferTest.cpp
@@ -385,6 +385,14 @@ BOOST_AUTO_TEST_CASE(test_maximum_buffer_size)
   BOOST_CHECK_THROW(buf.write(&small_buff[0], 1), TTransportException);
 }
 
+BOOST_AUTO_TEST_CASE(test_buffer_overflow)
+{
+  TMemoryBuffer buf;
+  std::vector<uint8_t> small_buff(1);
+  buf.write(&small_buff[0], 1);
+  BOOST_CHECK_THROW(buf.getWritePtr(std::numeric_limits<uint32_t>::max()), 
TTransportException);
+}
+
 BOOST_AUTO_TEST_CASE(test_memory_buffer_to_get_sizeof_objects)
 {
   // This is a demonstration of how to use TMemoryBuffer to determine

Reply via email to