Skip to content

AVRO-4247: [Java] Enforce decompression size limits (branch-1.11 backport)#3777

Merged
iemejia merged 1 commit into
apache:branch-1.11from
iemejia:branch-1.11-avro-4247
May 14, 2026
Merged

AVRO-4247: [Java] Enforce decompression size limits (branch-1.11 backport)#3777
iemejia merged 1 commit into
apache:branch-1.11from
iemejia:branch-1.11-avro-4247

Conversation

@iemejia
Copy link
Copy Markdown
Member

@iemejia iemejia commented May 14, 2026
edited
Loading

Summary

  • Backport of AVRO-4247: Enforce decompression size limits #3745 (d28279d) from master to branch-1.11
  • Adds decompression bomb protection to all Avro codecs (Deflate, BZip2, Snappy, XZ, Zstandard) with a configurable limit via system property org.apache.avro.limits.decompress.maxLength
  • Limit checks are enforced in NonCopyingByteArrayOutputStream (used by stream-based codecs) and directly in SnappyCodec (which uses ByteBuffer)

Java 8 compatibility fixes

Since branch-1.11 targets Java 8 while master targets Java 11, the following changes were made on top of the cherry-pick:

  • Replaced Objects.checkFromIndexSize() (Java 9+) with equivalent manual bounds checking
  • Replaced ByteArrayOutputStream.writeBytes() override (Java 11+) with a standalone method delegating to write(b, 0, b.length)
  • Removed unused java.util.Objects import

Testing

All 198 tests pass (66 tests x 3 execution modes: default, custom-coders, fast-reader), including:

  • NonCopyingByteArrayOutputStreamTest - 5 new tests for limit enforcement
  • TestAllCodecs - 12 tests covering all codec roundtrips
  • TestDataFile* - full data file read/write tests across all codecs

R: @RyanSkraba
CC: @steveloughran (for awareness of the cherry-pick)

@iemejia
AVRO-4247: [Java] Enforce decompression size limits (apache#3745)
bbcced6 
Cherry-pick of d28279d from master with Java 8 compatibility fixes:
- Replace Objects.checkFromIndexSize() (Java 9+) with manual bounds check
- Replace ByteArrayOutputStream.writeBytes() override (Java 11+) with
  standalone method delegating to write(b, 0, b.length)
@github-actions github-actions Bot added the Java Pull Requests for Java binding label May 14, 2026
@iemejia iemejia merged commit 5242f3f into apache:branch-1.11 May 14, 2026
1 check passed
@iemejia iemejia requested a review from RyanSkraba May 14, 2026 12:54
@iemejia iemejia deleted the branch-1.11-avro-4247 branch May 14, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RyanSkraba RyanSkraba Awaiting requested review from RyanSkraba

Assignees

No one assigned

Labels

Java Pull Requests for Java binding

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iemejia