Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate arguments for Unsafe coders #54

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Marcono1234
Copy link

@Marcono1234 Marcono1234 commented Feb 18, 2024

Adds validation for the encoder and decoder using Unsafe to protect against accidental memory corruption. This is mainly to protect against implementation bugs, and against users who might by accident provide invalid arguments.

I am not very familiar with this code, so any feedback and corrections are welcome!
I have added some review comments below to explain the rationale for the changes.

Assuming users are not using any of these low level methods or classes directly, this probably has no security impact.

@Marcono1234 Marcono1234 force-pushed the unsafe-arg-validation branch from 907efb3 to 9cd0e20 Compare February 18, 2024 13:53
@@ -7,7 +7,7 @@
* Implementation to use on Little Endian architectures.
*/
@SuppressWarnings("restriction")
public class UnsafeChunkEncoderLE
public final class UnsafeChunkEncoderLE
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency with UnsafeChunkEncoderBE, which was already final.

@@ -83,7 +88,7 @@ protected int tryCompress(byte[] in, int inPos, int inEnd, byte[] out, int outPo
++inPos;
}
// try offlining the tail
return _handleTail(in, inPos, inEnd+4, out, outPos, literals);
return _handleTail(in, inPos, inEnd+TAIL_LENGTH, out, outPos, literals);
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope this is correct; to me it looked like this undoes the -= TAIL_LENGTH at the beginning of the method:

// Sanity checks; otherwise if any of the arguments are invalid `Unsafe` might corrupt memory
_checkArrayIndices(in, inPos, inEnd);
_checkArrayIndices(out, outPos, out.length);
// TODO: Validate that `out.length - outPos` is large enough?
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this has to be validated because it does not look like the code below performs any bounds checks, but I am not sure what the correct minimum size here is. When I used LZFChunk.MAX_CHUNK_LEN1, a few unit tests were failing, which were using smaller output buffers.

Or alternatively it would be necessary to add bounds checks below to make sure Unsafe does not write outside out.

Footnotes

  1. Maybe the minimum size would have to be even larger, including LZFChunk.MAX_HEADER_LEN?

@cowtowncoder
Copy link
Contributor

I think these make sense, but I would suggest splitting this PR into multiple smaller PRs.

One thing to note: I don't seem to have commit access to this repo any more, so I can not merge PRs.
So I can help suggest changes but not sure who has access to merge changes.

@Marcono1234
Copy link
Author

Thanks for the feedback! That is quite unfortunate that you lost access to this repository. Would you like to continue maintaining this library? In that case, do you think it would be possible for you to obtain maintainer and publishing rights again (or maybe even transfer the repository to your GitHub account)?

I am not sure if or how many alternatives to this library exists, and there seem to be some large projects currently using this library, see https://mvnrepository.com/artifact/com.ning/compress-lzf/usages (the latest version of some of these might not have a dependency on compress-lzf anymore though).

I have also written a mail to your fasterxml.com e-mail address today, could you please have a look?

@cowtowncoder
Copy link
Contributor

@Marcono1234 I can file an issue and see if any of maintainers is around. Yes, I could continue maintaining this package, although its usage is definitely declining -- note that MvnRepository has no easy way to find out if the latest version(s) of some package still depends on package, just that some version does.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants