repr: fix panic decoding an empty Avro decimal value#37130
Closed
def- wants to merge 1 commit into
Closed
Conversation
`twos_complement_be_to_numeric_inner` read `input[0]` to determine the sign before checking that the input was non-empty, so a zero-length two's-complement byte run panicked with an out-of-bounds index. This is reachable from Avro source ingestion: a `decimal` logical type backed by `bytes` (or `fixed`) whose value is encoded as a zero-length byte array is a valid wire form, and that data arrives from external, possibly hostile, schema registries and producers. A conformant producer encodes zero as `[0x00]`, but a non-conformant one can send empty bytes, crashing the decoder and so the source. An empty big-endian two's-complement run canonically denotes 0. Guarding the sign check with `!input.is_empty()` makes the existing logic produce 0 for that case (`head == 0`, no chunks), with no other change needed. The only caller is the Avro decimal decode path. Found by the avro_decode_fuzzed_schema cargo-fuzz target. Tests: adds `test_twos_complement_empty_is_zero`, covering the wrapper at several scales and the generic inner at both numeric widths. Release note: Fix a panic in Avro-formatted sources when decoding a `decimal` column whose value was encoded as a zero-length byte array. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
13 tasks
Contributor
Author
|
This fix is already part of #36984. Really need to get this stuff merged or I'll keep rerunning into the same bugs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
twos_complement_be_to_numeric_innerreadinput[0]to determine the sign before checking that the input was non-empty, so a zero-length two's-complement byte run panicked with an out-of-bounds index.This is reachable from Avro source ingestion: a
decimallogical type backed bybytes(orfixed) whose value is encoded as a zero-length byte array is a valid wire form, and that data arrives from external, possibly hostile, schema registries and producers. A conformant producer encodes zero as[0x00], but a non-conformant one can send empty bytes, crashing the decoder and so the source.An empty big-endian two's-complement run canonically denotes 0. Guarding the sign check with
!input.is_empty()makes the existing logic produce 0 for that case (head == 0, no chunks), with no other change needed. The only caller is the Avro decimal decode path.Found by the avro_decode_fuzzed_schema cargo-fuzz target.
Tests: adds
test_twos_complement_empty_is_zero, covering the wrapper at several scales and the generic inner at both numeric widths.Release note: Fix a panic in Avro-formatted sources when decoding a
decimalcolumn whose value was encoded as a zero-length byte array.