Dvir Volk created THRIFT-3175:
---------------------------------
Summary: fastbinary.c python deserialize can cause huge
allocations from garbage
Key: THRIFT-3175
URL: https://issues.apache.org/jira/browse/THRIFT-3175
Project: Thrift
Issue Type: Bug
Components: Python - Library
Reporter: Dvir Volk
In the fastbinary python deserializer, allocating a list is done like so:
{code}
len = readI32(input);
if (!check_ssize_t_32(len)) {
return NULL;
}
ret = PyList_New(len);
{code}
The only validation of len is that it's under INT_MAX. I've encountered a
situation where upon receiving garbage input, and having len be read as
something like 1 billion, the library treated this as a valid input, allocated
gigs of RAM, and caused a server to crash.
The quick fix I made was to limit list sizes to a sane value of a few thousands
that more than suits my personal needs.
But IMO this should be dealt with properly. One way that comes to mind is not
pre-allocating the entire list in advance in case it's really big, and resizing
it in smaller steps while reading the input.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
