[IMPALA-13150] Possible buffer overflow in StringVal::CopyFrom() - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Impala 4.5.0, Impala 4.4.1
Component/s: Backend
Labels:
None

Epic Color:
ghx-label-8

Description

In StringVal::CopyFrom(), we take the 'len' parameter as a size_t, which is usually a 64-bit unsigned integer. We pass it to the constructor of StringVal, which takes it as an int, which is usually a 32-bit signed integer. The constructor then allocates memory for the length using the int value, but back in CopyFrom(), we copy the buffer with the size_t length. If size_t is indeed 64 bits and int is 32 bits, and the value is truncated, we may copy more bytes that what we have allocated the destination for. See https://github.com/apache/impala/blob/ce8078204e5995277f79e226e26fe8b9eaca408b/be/src/udf/udf.cc#L546

Attachments

Activity

People

Assignee:: Daniel Becker

Reporter:: Daniel Becker

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 10/Jun/24 12:18

Updated:: 14/Aug/24 00:50

Resolved:: 18/Jun/24 08:23