commit d665e284df49e2032c151f55646e8ae531e9f3ce
author stiga-huang <huangquanlong@gmail.com> Fri Jun 16 22:53:43 2023 +0800
committer Jens Geyer <Jens-G@users.noreply.github.com> Wed Jun 21 22:28:00 2023 +0200
tree 97b1d50fea8c53f08bacaa9e4f6e5f64456e645c
parent 0b14a1bb01fb8e5124ee926b39c28d025deda087

THRIFT-5716: Fix uint32_t overflow in TMemoryBuffer

lib/cpp/src/thrift/transport/TBufferTransports.cpp

diff --git a/lib/cpp/src/thrift/transport/TBufferTransports.cpp b/lib/cpp/src/thrift/transport/TBufferTransports.cpp
index efca5bd..f7cf8f0 100644
--- a/lib/cpp/src/thrift/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/thrift/transport/TBufferTransports.cpp
@@ -363,9 +363,9 @@
     throw TTransportException("Insufficient space in external MemoryBuffer");
   }
 
-  // Grow the buffer as necessary.
-  const uint32_t current_used = bufferSize_ - avail;
-  const uint32_t required_buffer_size = len + current_used;
+  // Grow the buffer as necessary. Use uint64_t to avoid overflow.
+  const uint64_t current_used = bufferSize_ - avail;
+  const uint64_t required_buffer_size = len + current_used;
   if (required_buffer_size > maxBufferSize_) {
     throw TTransportException(TTransportException::BAD_ARGS,
                               "Internal buffer size overflow when requesting a buffer of size " + std::to_string(required_buffer_size));

lib/cpp/test/TMemoryBufferTest.cpp

diff --git a/lib/cpp/test/TMemoryBufferTest.cpp b/lib/cpp/test/TMemoryBufferTest.cpp
index 0ae4dc9..2f1aea6 100644
--- a/lib/cpp/test/TMemoryBufferTest.cpp
+++ b/lib/cpp/test/TMemoryBufferTest.cpp
@@ -385,6 +385,14 @@
   BOOST_CHECK_THROW(buf.write(&small_buff[0], 1), TTransportException);
 }
 
+BOOST_AUTO_TEST_CASE(test_buffer_overflow)
+{
+  TMemoryBuffer buf;
+  std::vector<uint8_t> small_buff(1);
+  buf.write(&small_buff[0], 1);
+  BOOST_CHECK_THROW(buf.getWritePtr(std::numeric_limits<uint32_t>::max()), TTransportException);
+}
+
 BOOST_AUTO_TEST_CASE(test_memory_buffer_to_get_sizeof_objects)
 {
   // This is a demonstration of how to use TMemoryBuffer to determine