These are chat archives for HdrHistogram/HdrHistogram

21st
Sep 2015
Alec
@ahothan
Sep 21 2015 16:46

@mikeb01 in this function on the decoding path:

static int _apply_to_counts_zz(struct hdr_histogram h, const uint8_t counts_data, const int32_t data_limit)
{
int32_t data_index = 0;
int32_t counts_index = 0;
int64_t value;

while (data_index < data_limit && counts_index < h->counts_len)
{
    data_index += zig_zag_decode_i64(&counts_data[data_index], &value);

    if (value < INT32_MIN)
    {
        return HDR_TRAILING_ZEROS_INVALID;
    }

    if (value < 0)
    {
        int32_t zeros = -((int32_t) value);
        counts_index += zeros;
    }
    else
    {
        h->counts[counts_index] = value;
        counts_index++;
    }
}

counts_index needs to be int64_t because otherwise it might wrap over with any large negative varint value.
Here is an example of malicious but valid encoded varint that will cause a crash because the resulting counst_index will become a large negative number after adding zeros to it:

A zero count of 1 (-1 -> 0x01) followed by a simple count value of 1 at index 1 (1 -> 0x02), followed by a

large enough negative value to be dangerous: -2147483648 (smallest negative signed 32 bit)

followed by a count value of 1

INDEX_SKIPPER_VALUE = '\x01\x02\xFF\xFF\xFF\xFF\x0F\x02'

@giltene: looks like same issue in the java code with dstIndex ?

private int fillCountsArrayFromSourceBuffer(ByteBuffer sourceBuffer, int lengthInBytes, int wordSizeInBytes) {
    if ((wordSizeInBytes != 2) && (wordSizeInBytes != 4) &&
            (wordSizeInBytes != 8) && (wordSizeInBytes != V2maxWordSizeInBytes)) {
        throw new IllegalArgumentException("word size must be 2, 4, 8, or V2maxWordSizeInBytes ("+
                V2maxWordSizeInBytes + ") bytes");
    }
    final long maxAllowableCountInHistigram =
            ((this.wordSizeInBytes == 2) ? Short.MAX_VALUE :
                    ((this.wordSizeInBytes == 4) ? Integer.MAX_VALUE : Long.MAX_VALUE)
            );

    int dstIndex = 0;
Sorry for the unintentional bold font above, was caused by the python comment character "#" ;-(