Jens Geyer created THRIFT-6035:
----------------------------------
Summary: Harden Smalltalk protocol negative sizes
Key: THRIFT-6035
URL: https://issues.apache.org/jira/browse/THRIFT-6035
Project: Thrift
Issue Type: Bug
Components: Smalltalk - Library
Reporter: Jens Geyer
The Smalltalk library does not validate negative sizes when reading Thrift
payloads, and the current behavior silently corrupts stream state.
Size values appear in binary/string fields and in map/list/set headers. Those
values must be non-negative.
- readListBegin, readMapBegin, readSetBegin: return the raw signed integer size
without any check.
- readString: the guard [sz > 0 ifTrue: [...] ifFalse: [""]] silently returns
an empty string for negative sizes. This leaves the transport stream out of
sync with the protocol frame -- subsequent reads will deserialize incorrect
data with no error indication.
Although the TProtocolError class negativeSize constant (value 2) is defined,
it is never raised in any read path.
This is a protocol hardening gap compared with other runtimes. The silent
stream-desync in readString is particularly dangerous as it causes data
corruption without raising any error.
The fix should:
1. Raise a TProtocolError with code negativeSize when a negative size is read
in any container or string/binary path.
2. Remove or replace the silent ifFalse fallback in readString.
See THRIFT-6025 for the equivalent Ruby fix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
