Skip to content

ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression #2191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ffacs wants to merge 1 commit into from
Closed

ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression #2191

ffacs wants to merge 1 commit into from

Conversation

@ffacs
Copy link
Contributor

@ffacs ffacs commented Apr 16, 2025

What changes were proposed in this pull request?

Fix Heap Buffer Overflow Vulnerability in LZO Decompression

Why are the changes needed?

This vulnerability has several security implications

How was this patch tested?

UT passed

Was this patch authored or co-authored using generative AI tooling?

NO

@github-actions github-actions bot added the CPP label Apr 16, 2025
@ffacs
Copy link
Contributor Author

ffacs commented Apr 16, 2025

cc @wgtmac @dongjoon-hyun

@wgtmac wgtmac changed the title [C++] Heap Buffer Overflow Vulnerability in LZO Decompression [C++] Fix Heap Buffer Overflow in LZO Decompression Apr 16, 2025
wgtmac
wgtmac approved these changes Apr 16, 2025
View reviewed changes
Copy link
Member

@wgtmac wgtmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this!

c++/test/TestDecompression.cc
0x00, // token: extended literal length
0xFF, // extension byte 1

// Literal data: only 10 bytes far less than 273
Copy link
Member

@wgtmac wgtmac Apr 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why magic number 273?

Copy link
Contributor Author

@ffacs ffacs Apr 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why magic number 273?

Simply a large enough number that comes from 0x00 0xff.

dongjoon-hyun
dongjoon-hyun reviewed Apr 17, 2025
View reviewed changes
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @ffacs and @wgtmac .

dongjoon-hyun
dongjoon-hyun approved these changes Apr 17, 2025
View reviewed changes
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, LGTM.

@dongjoon-hyun dongjoon-hyun changed the title [C++] Fix Heap Buffer Overflow in LZO Decompression ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression Apr 17, 2025
dongjoon-hyun pushed a commit that referenced this pull request Apr 17, 2025
@ffacs @dongjoon-hyun
ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression
aeab5b9 
### What changes were proposed in this pull request?
Fix Heap Buffer Overflow Vulnerability in LZO Decompression

### Why are the changes needed?
This vulnerability has several security implications

### How was this patch tested?
UT passed

### Was this patch authored or co-authored using generative AI tooling?
NO

Closes #2191 from ffacs/main.

Authored-by: ffacs <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
(cherry picked from commit 6b78a0d)
Signed-off-by: Dongjoon Hyun <[email protected]>
dongjoon-hyun pushed a commit that referenced this pull request Apr 17, 2025
@ffacs @dongjoon-hyun
ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression
807dcac 
### What changes were proposed in this pull request?
Fix Heap Buffer Overflow Vulnerability in LZO Decompression

### Why are the changes needed?
This vulnerability has several security implications

### How was this patch tested?
UT passed

### Was this patch authored or co-authored using generative AI tooling?
NO

Closes #2191 from ffacs/main.

Authored-by: ffacs <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
(cherry picked from commit 6b78a0d)
Signed-off-by: Dongjoon Hyun <[email protected]>
@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Apr 17, 2025

Merged to main/2.1/2.0.

Could you make two backport PRs for branch-1.9 and branch-1.8, please, @ffacs ?

@dongjoon-hyun dongjoon-hyun added this to the 2.0.5 milestone Apr 17, 2025
This was referenced Apr 17, 2025
Closed
Closed
@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Apr 17, 2025

It seems that the patch starts to fail from branch-2.0 at least at CPP linter.

@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Apr 17, 2025

Oh, BTW, I created a new JIRA (ORC-1879) because this PR didn't have a proper JIRA ID in the PR title. However, now, I realized that @ffacs created ORC-1878 before making this PR.

ffacs added a commit that referenced this pull request Apr 22, 2025
@ffacs
ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression
9c3f923 
### What changes were proposed in this pull request?
Fix Heap Buffer Overflow Vulnerability in LZO Decompression

### Why are the changes needed?
This vulnerability has several security implications

### How was this patch tested?
UT passed

### Was this patch authored or co-authored using generative AI tooling?
NO

Closes #2191 from ffacs/main.

Authored-by: ffacs <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
ffacs added a commit to ffacs/orc that referenced this pull request Apr 22, 2025
@ffacs
ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression
fbbd863 
### What changes were proposed in this pull request?
Fix Heap Buffer Overflow Vulnerability in LZO Decompression

### Why are the changes needed?
This vulnerability has several security implications

### How was this patch tested?
UT passed

### Was this patch authored or co-authored using generative AI tooling?
NO

Closes apache#2191 from ffacs/main.

Authored-by: ffacs <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
@ffacs
Copy link
Contributor Author

ffacs commented Apr 22, 2025

Merged to main/2.1/2.0.

Could you make two backport PRs for branch-1.9 and branch-1.8, please, @ffacs ?

Sorry I just saw this message now. There are the PRs
#2198 #2199

ffacs added a commit to ffacs/orc that referenced this pull request Apr 28, 2025
@ffacs
ORC-1879: [C++] Fix Heap Buffer Overflow in LZO Decompression
332f66e 
### What changes were proposed in this pull request?
Fix Heap Buffer Overflow Vulnerability in LZO Decompression

### Why are the changes needed?
This vulnerability has several security implications

### How was this patch tested?
UT passed

### Was this patch authored or co-authored using generative AI tooling?
NO

Closes apache#2191 from ffacs/main.

Authored-by: ffacs <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wgtmac wgtmac wgtmac approved these changes

@dongjoon-hyun dongjoon-hyun dongjoon-hyun approved these changes

Assignees

No one assigned

Labels

CPP

Projects

None yet

Milestone

2.0.5

Development

Successfully merging this pull request may close these issues.

3 participants

@ffacs @dongjoon-hyun @wgtmac