ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression

ffacs · dongjoon-hyun · commit 6b78a0dde976 · 2025-04-17T09:54:46.000+09:00
### What changes were proposed in this pull request? Fix Heap Buffer Overflow Vulnerability in LZO Decompression ### Why are the changes needed? This vulnerability has several security implications ### How was this patch tested? UT passed ### Was this patch authored or co-authored using generative AI tooling? NO Closes #2191 from ffacs/main. Authored-by: ffacs <ffacs520@gmail.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
diff --git a/c++/src/LzoDecompressor.cc b/c++/src/LzoDecompressor.cc
@@ -342,7 +342,7 @@ namespace orc {
         char* literalOutputLimit = output + literalLength;
         if (literalOutputLimit > fastOutputLimit ||
             input + literalLength > inputLimit - SIZE_OF_LONG) {
-          if (literalOutputLimit > outputLimit) {
+          if (literalOutputLimit > outputLimit || input + literalLength > inputLimit) {
             throw MalformedInputException(input - inputAddress);
           }
 
diff --git a/c++/test/TestDecompression.cc b/c++/test/TestDecompression.cc
@@ -395,6 +395,26 @@ namespace orc {
     ASSERT_TRUE(!result->Next(&ptr, &length));
   }
 
+  TEST_F(TestDecompression, testLzoOverflow) {
+    const unsigned char bad_lzo_data[] = {// Header: compressedSize = 12, original = false
+                                          0x18, 0x00, 0x00,
+
+                                          // LZO body: token and literal length extension
+                                          0x00,  // token: extended literal length
+                                          0xFF,  // extension byte 1
+
+                                          // Literal data: only 10 bytes far less than 273
+                                          'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A'};
+
+    std::unique_ptr<SeekableInputStream> result = createDecompressor(
+        CompressionKind_LZO,
+        std::make_unique<SeekableArrayInputStream>(bad_lzo_data, ARRAY_SIZE(bad_lzo_data)),
+        128 * 1024, *getDefaultPool(), getDefaultReaderMetrics());
+    const void* ptr;
+    int length;
+    EXPECT_THROW(result->Next(&ptr, &length), ParseError);
+  }
+
   TEST_F(TestDecompression, testLz4Empty) {
     const unsigned char buffer[] = {0};
     std::unique_ptr<SeekableInputStream> result = createDecompressor(

Original file line number	Diff line number	Diff line change
`@@ -342,7 +342,7 @@ namespace orc {`
`342`	`342`	`char* literalOutputLimit = output + literalLength;`
`343`	`343`	`if (literalOutputLimit > fastOutputLimit \|\|`
`344`	`344`	`input + literalLength > inputLimit - SIZE_OF_LONG) {`
`345`		`- if (literalOutputLimit > outputLimit) {`
	`345`	`+ if (literalOutputLimit > outputLimit \|\| input + literalLength > inputLimit) {`
`346`	`346`	`throw MalformedInputException(input - inputAddress);`
`347`	`347`	`}`
`348`	`348`