[ https://issues.apache.org/jira/browse/AVRO-3049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17294104#comment-17294104 ]
ASF subversion and git services commented on AVRO-3049: ------------------------------------------------------- Commit 552ee9e3c1679fec9ecb959c7c12ed7bd91827b0 in avro's branch refs/heads/dependabot/nuget/lang/csharp/Newtonsoft.Json-12.0.3 from John Karp [ https://gitbox.apache.org/repos/asf?p=avro.git;h=552ee9e ] AVRO-3049: Add checks to BinaryDecoder for bytes length (#1098) * AVRO-3049: Handle negative length for bytes * AVRO-3049: Don't try to allocate beyond VM limits for bytes * AVRO-3049: Use clearer unit test names * AVRO-3049: Use Assert.assertThrows for cleaner UTs * AVRO-3049: Add org.apache.avro.limits.bytes.maxLength property * AVRO-3049: mvn spotless:apply * AVRO-3049: Call super() from BinaryDecoder ctor * AVRO-3049: Add JavaDoc re BinaryDecoder limits > Java: BinaryDecoder lacks checks on bytes array length > ------------------------------------------------------ > > Key: AVRO-3049 > URL: https://issues.apache.org/jira/browse/AVRO-3049 > Project: Apache Avro > Issue Type: Bug > Components: java > Reporter: John Karp > Assignee: John Karp > Priority: Major > Fix For: 1.11.0, 1.10.2 > > > There are several checks on string length in BinaryDecoder. However, it lacks > the same checks for byte arrays. > * Negative lengths lead to IllegalArgumentException instead of > org.apache.avro.AvroRuntimeException > * Pathologically large (however legal) arrays can be allocated. Some > applications will be suffer denial of service if they are forced to allocate > 1 GB arrays repeatedly. -- This message was sent by Atlassian Jira (v8.3.4#803005)