[ https://issues.apache.org/jira/browse/IMPALA-13150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Becker updated IMPALA-13150: ----------------------------------- Summary: Possible buffer overflow in StringVal::CopyFrom() (was: Possible buffer overflow in StringVal) > Possible buffer overflow in StringVal::CopyFrom() > ------------------------------------------------- > > Key: IMPALA-13150 > URL: https://issues.apache.org/jira/browse/IMPALA-13150 > Project: IMPALA > Issue Type: Bug > Components: Backend > Reporter: Daniel Becker > Assignee: Daniel Becker > Priority: Major > > In {{{}StringVal::CopyFrom(){}}}, we take the 'len' parameter as a > {{{}size_t{}}}, which is usually a 64-bit unsigned integer. We pass it to the > constructor of {{{}StringVal{}}}, which takes it as an {{{}int{}}}, which is > usually a 32-bit signed integer. The constructor then allocates memory for > the length using the {{int}} value, but back in {{{}CopyFrom(){}}}, we copy > the buffer with the {{size_t}} length. If {{size_t}} is indeed 64 bits and > {{int}} is 32 bits, and the value is truncated, we may copy more bytes that > what we have allocated the destination for. See > https://github.com/apache/impala/blob/ce8078204e5995277f79e226e26fe8b9eaca408b/be/src/udf/udf.cc#L546 -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org