Skip to content

ORC-2191: Reject overflowing PostScript tail lengths in ReaderImpl#2672

Draft
dongjoon-hyun wants to merge 1 commit into
apache:mainfrom
dongjoon-hyun:ORC-2191
Draft

ORC-2191: Reject overflowing PostScript tail lengths in ReaderImpl#2672
dongjoon-hyun wants to merge 1 commit into
apache:mainfrom
dongjoon-hyun:ORC-2191

Conversation

@dongjoon-hyun

Copy link
Copy Markdown
Member

What changes were proposed in this pull request?

This PR validates the PostScript tail lengths in ReaderImpl.extractFileTail before they are cast
from long to int, throwing FileFormatException when footerLength, metadataLength,
stripeStatisticsLength, or their sum is negative or exceeds the file length / Integer.MAX_VALUE.
It is the Java counterpart of the C++ overflow checks in ORC-2167.

Why are the changes needed?

These fields are protobuf uint64 read as Java long. A malformed value near UINT64_MAX or above
2GB would truncate/overflow on the int cast into a bogus offset or allocation size instead of a
clear error. Per the ORC threat model this is a fail-fast robustness fix, not a CVE.

How was this patch tested?

Added TestReaderImpl.testMalformedTailLengthOverflow, which crafts files with tail lengths of
2^31, 2^32, and UINT64_MAX and asserts OrcFile.createReader throws FileFormatException.

Was this patch authored or co-authored using generative AI tooling?

Generated-by: Claude Fable 5

@dongjoon-hyun dongjoon-hyun marked this pull request as draft July 7, 2026 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant