From a7ff13409ed8e0b6e0017702059071c808b6d148 Mon Sep 17 00:00:00 2001 From: OwenSanzas Date: Tue, 13 Jan 2026 00:32:43 +0000 Subject: [PATCH] [C] Fix negative length validation in read_bytes and read_string The read_bytes() and read_string() functions in encoding_binary.c decode length values using zigzag encoding, which can produce negative numbers from malicious input. These negative values were passed directly to avro_malloc(), causing allocation failures or undefined behavior. This patch adds validation to reject negative length values with a clear error message before attempting memory allocation. Bug: Negative length values from varint decoding cause allocation-size-too-big when cast to size_t Impact: DoS via crafted binary input Co-Authored-By: Claude --- lang/c/src/encoding_binary.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lang/c/src/encoding_binary.c b/lang/c/src/encoding_binary.c index 1fc5f0c9a7b..748dcb7aff7 100644 --- a/lang/c/src/encoding_binary.c +++ b/lang/c/src/encoding_binary.c @@ -127,6 +127,10 @@ static int read_bytes(avro_reader_t reader, char **bytes, int64_t * len) int rval; check_prefix(rval, read_long(reader, len), "Cannot read bytes length: "); + if (*len < 0) { + avro_set_error("Invalid bytes length: %" PRId64, *len); + return EINVAL; + } *bytes = (char *) avro_malloc(*len + 1); if (!*bytes) { avro_set_error("Cannot allocate buffer for bytes value"); @@ -175,6 +179,10 @@ static int read_string(avro_reader_t reader, char **s, int64_t *len) int rval; check_prefix(rval, read_long(reader, &str_len), "Cannot read string length: "); + if (str_len < 0) { + avro_set_error("Invalid string length: %" PRId64, str_len); + return EINVAL; + } *len = str_len + 1; *s = (char *) avro_malloc(*len); if (!*s) {