Re: [PR] AVRO-4241: [Java] BinaryDecoder should verify available bytes before … [avro]

Tue, 07 Apr 2026 07:09:55 -0700 


github-advanced-security[bot] commented on code in PR #3725:
URL: https://github.com/apache/avro/pull/3725#discussion_r3045577512


##########
lang/java/avro/src/test/java/org/apache/avro/io/TestBinaryDecoder.java:
##########
@@ -417,6 +417,51 @@
     }
   }
 
+  /**
+   * Verify that a byte-array-backed decoder rejects a string whose varint 
length
+   * exceeds the remaining bytes, throwing {@link EOFException} <em>before</em>
+   * allocating the buffer.
+   */
+  @Test
+  public void testStringLengthExceedsAvailableBytes() throws IOException {
+    // Encode a varint claiming 10_000_000 bytes of string data, but supply 
none.
+    // The byte-array-backed decoder knows it has only a few bytes left after
+    // the varint, so ensureAvailableBytes must throw EOFException.
+    BinaryDecoder bd = newDecoder(false, 10_000_000L);
+    Assertions.assertThrows(EOFException.class, () -> bd.readString(null));
+  }
+
+  /**
+   * Same as {@link #testStringLengthExceedsAvailableBytes()} but for
+   * {@link BinaryDecoder#readBytes(ByteBuffer)}.
+   */
+  @Test
+  public void testBytesLengthExceedsAvailableBytes() throws IOException {
+    BinaryDecoder bd = newDecoder(false, 10_000_000L);
+    Assertions.assertThrows(EOFException.class, () -> bd.readBytes(null));
+  }
+
+  @Test
+  public void testStringLengthDoesNotTrustUnknownAvailable() throws 
IOException {
+    byte[] encoded;
+    try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
+      BinaryEncoder encoder = EncoderFactory.get().binaryEncoder(baos, null);
+      encoder.writeString("hello");
+      encoder.flush();
+      encoded = baos.toByteArray();
+    }
+
+    InputStream in = new ByteArrayInputStream(encoded) {
+      @Override
+      public int available() {

Review Comment:
   ## CodeQL / Non-synchronized override of synchronized method
   
   Method 'available' overrides a synchronized method in 
[java.io.ByteArrayInputStream](1) but is not synchronized.
   
   [Show more 
details](https://github.com/apache/avro/security/code-scanning/3358)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to