arib06 opened a new pull request, #3836:
URL: https://github.com/apache/avro/pull/3836

   ## What is the purpose of the change
   
   The binary value decoder validates a union discriminant against the schema 
before use, but the enum branch reads the symbol index straight from the wire 
and stores it without a range check. A crafted enum index that is negative or 
larger than the number of symbols is accepted, then later passed to 
`avro_schema_enum_get`. That lookup misses in the symbol table and leaves its 
local pointer union uninitialized, so it returns a wild pointer. Callers such 
as `avro_value_to_json` dereference it and crash.
   
   This adds the missing bounds check to the `AVRO_ENUM` case in `read_value`, 
mirroring the union discriminant check already present a few cases above, and 
rejects out-of-range or negative indices with `EILSEQ`. Both the direct 
`avro_value_read` path and the `avro_read_data` resolver path funnel through 
this case, so one check covers both.
   
   ## Verifying this change
   
   This change added tests and can be verified as follows:
   - Added `test_avro_enum_read`, which decodes a 3-symbol enum and asserts a 
valid index is accepted while an out-of-range index (1000) and a negative index 
are rejected. Against the unpatched decoder the out-of-range read is accepted; 
the test fails.
   - Reproduced the original crash under ASan before the fix: reading the 
out-of-range index and calling `avro_value_to_json` gives `SEGV in strlen <- 
json_string <- avro_value_to_json_t (value-json.c:228)` on a wild pointer. 
After the fix the read returns an error and no invalid value is stored.
   - Full C suite green (`ctest`, 28/28).
   
   ## Documentation
   
   - Does this pull request introduce a new feature? no
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to