Fix jint->size_t integer narrowing in DecoderJNI and EncoderJNI nativePush#1498
Open
momo-123-coder wants to merge 1 commit into
Open
Fix jint->size_t integer narrowing in DecoderJNI and EncoderJNI nativePush#1498momo-123-coder wants to merge 1 commit into
momo-123-coder wants to merge 1 commit into
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
…ePush nativePush in both decoder_jni.cc and encoder_jni.cc accepted a signed jint input_length and assigned it directly to a size_t field without a sign check. A negative value wraps to SIZE_MAX, causing the decoder or encoder to read far beyond the allocated buffer (heap-buffer-overflow). Add an explicit negativity guard before the assignment and replace the implicit narrowing cast with static_cast<size_t>. Verified with ASan: crash seed (jint=-1) aborts the unpatched build and exits cleanly on the patched build across all negative jint values tested.
momo-123-coder
force-pushed
the
fix/jni-negative-input-length
branch
from
5070238 to
b7154a5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix jint→size_t integer narrowing in DecoderJNI and EncoderJNI nativePush
Summary
nativePushin bothdecoder_jni.ccandencoder_jni.ccacceptsjint input_length(a signed 32-bit JNI integer) and assigns it directlyto a
size_tfield without a sign check:When the Java caller passes a negative value (e.g., -1, or any value
where the high bit is set), the implicit jint → size_t conversion wraps
to SIZE_MAX - |value| + 1 (4 294 967 295 for -1 on 32-bit, or
18 446 744 073 709 551 615 on 64-bit). This causes:
input size pointing at attacker-controlled memory
or remote code execution depending on heap layout
Root cause
jintis defined asint32_tin <jni.h>. The JNI specification allowsany Java
intvalue, including negative values, to reach native code.There is no existing guard against
input_length < 0before the assignment.Fix
Add a sign check and replace the implicit narrowing cast with an explicit
static_cast<size_t> in both files:
The encoder_jni.cc path is fixed identically (input_last field).
Testing
Existing unit tests continue to pass. A LibFuzzer harness that exercises
this path with negative input_length values is available on request.
Security impact
(network-reachable through any JVM processing untrusted compressed data)