Skip to content

ORC-2192: [C++] Reject invalid string length in StringDirectColumnReader#2673

Open
dongjoon-hyun wants to merge 1 commit into
apache:mainfrom
dongjoon-hyun:ORC-2192
Open

ORC-2192: [C++] Reject invalid string length in StringDirectColumnReader#2673
dongjoon-hyun wants to merge 1 commit into
apache:mainfrom
dongjoon-hyun:ORC-2192

Conversation

@dongjoon-hyun

Copy link
Copy Markdown
Member

What changes were proposed in this pull request?

This PR adds validation to StringDirectColumnReader::computeSize in the C++ reader so a negative or overflowing string length throws ParseError before any blob is allocated. Both callers (next and skip) are covered, and since buildReader routes all direct-encoded string-family types to this reader, the single guard protects BINARY/CHAR/STRING/VARCHAR/GEOMETRY/GEOGRAPHY.

Why are the changes needed?

The LENGTH stream is decoded as unsigned RLE, so a malformed file can encode a varint >= 2^63 that becomes a negative int64_t. Cast to size_t, this triggers a huge blob.resize() and an out-of-bounds pointer walk. This restores parity with the Java reader, which already guards this path in BytesColumnVectorUtil.commonReadByteArrays.

How was this patch tested?

Added TestColumnReader.testStringDirectNegativeLength, which feeds a crafted LENGTH stream decoding to INT64_MIN and asserts ParseError is thrown.

Was this patch authored or co-authored using generative AI tooling?

Generated-by: Claude Fable 5

@dongjoon-hyun dongjoon-hyun changed the title ORC-2192: Reject invalid string length in StringDirectColumnReader ORC-2192: [C++] Reject invalid string length in StringDirectColumnReader Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant