From 68e67d528378965447ad23c32869285d60c68e93 Mon Sep 17 00:00:00 2001 From: OwenSanzas Date: Tue, 13 Jan 2026 00:35:15 +0000 Subject: [PATCH] [C] Fix negative block size validation in datafile reader The file_read_block_count() function in datafile.c reads block size using zigzag encoding, which can produce negative numbers from malicious Avro container files. These negative values were passed directly to avro_malloc(), causing allocation failures. This patch adds validation to reject negative block size values with a clear error message before attempting memory allocation. Bug: Negative block size from varint decoding causes allocation-size-too-big when cast to size_t Impact: DoS via crafted .avro file Co-Authored-By: Claude --- lang/c/src/datafile.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lang/c/src/datafile.c b/lang/c/src/datafile.c index c9d4dfeb68e..93a5b58297e 100644 --- a/lang/c/src/datafile.c +++ b/lang/c/src/datafile.c @@ -451,6 +451,10 @@ static int file_read_block_count(avro_file_reader_t r) "Cannot read file block count: "); check_prefix(rval, enc->read_long(r->reader, &len), "Cannot read file block size: "); + if (len < 0) { + avro_set_error("Invalid block size: %" PRId64, len); + return EINVAL; + } if (r->current_blockdata && len > r->current_blocklen) { r->current_blockdata = (char *) avro_realloc(r->current_blockdata, r->current_blocklen, len);