Jens-G opened a new pull request, #3410: URL: https://github.com/apache/thrift/pull/3410
## Summary The varint reader in `TCompactProtocol` loops until it encounters a non-continuation byte (bit 7 clear), without bounding the number of bytes it will consume. The protobuf wire-format specification, which the compact protocol wire format is based on, defines a maximum of 10 bytes for a 64-bit varint (5 bytes for 32-bit). C++ and Node.js already enforce this limit and raise a protocol exception when it is exceeded. This change extends that limit to the remaining four runtimes: - **Python** (`lib/py/src/protocol/TCompactProtocol.py`): `readVarint()` now uses a bounded `for` loop of 10 iterations and raises `TProtocolException(INVALID_DATA)` on overflow. - **Go** (`lib/go/thrift/compact_protocol.go`): `readVarint64()` now uses a bounded loop of 10 iterations and returns a `TProtocolException` with `INVALID_DATA` on overflow. - **PHP** (`lib/php/lib/Protocol/TCompactProtocol.php`): `readVarint()` now uses a bounded `while` loop of 10 iterations and throws `TProtocolException(INVALID_DATA)` on overflow. - **Java** (`lib/java/src/main/java/org/apache/thrift/protocol/TCompactProtocol.java`): the slow-path readers `readVarint32()` (5-byte limit) and `readVarint64()` (10-byte limit) now throw `TProtocolException(INVALID_DATA)` on overflow. Tests added in Python (`lib/py/test/thrift_TCompactProtocol.py`) and Go (`lib/go/thrift/compact_protocol_test.go`). ## Test plan - [ ] Python: `python3 lib/py/test/thrift_TCompactProtocol.py -v` — two new varint limit tests pass - [ ] Go: `cd lib/go && go test ./thrift/... -run TestCompactProtocol` — two new varint limit tests pass - [ ] Java: `cd lib/java && gradle test --tests '*TCompactProtocol*'` — all tests pass 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
