Uploaded image for project: 'Apache Avro'
  1. Apache Avro
  2. AVRO-1237

Avro-C segfaults when union discriminant out of bounds

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.7.6
    • Component/s: c
    • Labels:
      None
    • Environment:

      Avro-C 1.7.2
      Ubuntu 12.04 x86_64

      Description

      libavro will segfault when decrypting a specially crafted (or corrupted) avro file when the discriminant is out of bounds.
      There is already a check for < 0, but there is no upper bounds check.

      I have attached a patch that checks the bounds.

        Attachments

        1. 0001-AVRO-1237.-C-Verify-union-discriminant-when-reading-.patch
          7 kB
          Douglas Creager
        2. 0001-Check-union-discriminant-bounds-in-both-directions.patch
          2 kB
          Michael Cooper
        3. 0001-Test-case-for-AVRO-1237.patch
          5 kB
          Douglas Creager
        4. avro-1237-bad-union-discriminant.avro
          0.1 kB
          Douglas Creager
        5. avro-1237-good.avro
          0.1 kB
          Douglas Creager

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mic159 Michael Cooper
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: