compression: honor read buffer offset in resize_buffer#12085
Conversation
resize_buffer reallocated to new_size while get_available_space and get_append_buffer both account for the read_buffer offset. After a member is consumed read_buffer sits at a non-zero offset, so an append that resizes to input_buffer_length + len and copies len bytes at get_append_buffer ran read_buffer_offset bytes past the reallocation. Reserve the offset in the reallocation and keep input_buffer_size in sync. Signed-off-by: Saddam <saddamr3e@gmail.com>
Feeds a gzip member plus trailing bytes so read_buffer is left at a non-zero offset, then exercises the packed-forward append path (resize to input_buffer_length + len, copy at get_append_buffer). Fails under AddressSanitizer without the resize_buffer offset fix. Signed-off-by: Saddam <saddamr3e@gmail.com>
📝 WalkthroughWalkthroughThe decompression buffer resize now accounts for unconsumed input offsets. A gzip regression test exercises resizing and appending after decompression, and CMake includes the test in internal unit tests. ChangesCompression buffer fix
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
src/flb_compression.c (2)
109-110: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winReuse the existing
flb_decompression_context_get_read_buffer_offsethelper.The offset calculation at lines 109–110 duplicates the logic already encapsulated in
flb_decompression_context_get_read_buffer_offset(lines 27–40), which also provides a NULL guard oncontext. Using the helper reduces duplication and adds the safety check.♻️ Proposed refactor
- read_buffer_offset = (uintptr_t) context->read_buffer - - (uintptr_t) context->input_buffer; + read_buffer_offset = flb_decompression_context_get_read_buffer_offset(context);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/flb_compression.c` around lines 109 - 110, Replace the duplicated pointer subtraction in the decompression flow with the existing flb_decompression_context_get_read_buffer_offset helper, passing the current context and preserving assignment to read_buffer_offset. Do not retain the manual calculation.
112-114: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winGuard against integer overflow in
read_buffer_offset + new_size.Both
read_buffer_offsetandnew_sizearesize_t. Their sum is used as theflb_reallocsize (line 114) and stored ininput_buffer_size(line 128). If the addition wraps,flb_reallocallocates a tiny buffer while the caller subsequently writesappend_lenbytes atget_append_buffer()— the same heap-buffer-overflow class this PR fixes. A simple overflow check before the realloc closes the gap.🛡️ Proposed overflow guard
if (new_size > context->input_buffer_length) { + if (read_buffer_offset > SIZE_MAX - new_size) { + return FLB_DECOMPRESSOR_FAILURE; + } new_buffer_address = flb_realloc(context->input_buffer, read_buffer_offset + new_size);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/flb_compression.c` around lines 112 - 114, In the buffer-growth logic around the realloc call, validate that read_buffer_offset + new_size cannot exceed SIZE_MAX before performing the addition or passing it to flb_realloc. Handle the overflow using the function’s existing allocation-failure path, and ensure the same validated total is used when storing input_buffer_size.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/flb_compression.c`:
- Around line 109-110: Replace the duplicated pointer subtraction in the
decompression flow with the existing
flb_decompression_context_get_read_buffer_offset helper, passing the current
context and preserving assignment to read_buffer_offset. Do not retain the
manual calculation.
- Around line 112-114: In the buffer-growth logic around the realloc call,
validate that read_buffer_offset + new_size cannot exceed SIZE_MAX before
performing the addition or passing it to flb_realloc. Handle the overflow using
the function’s existing allocation-failure path, and ensure the same validated
total is used when storing input_buffer_size.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 37fe48c2-d329-4480-a68f-3b24beefb519
📒 Files selected for processing (3)
src/flb_compression.ctests/internal/CMakeLists.txttests/internal/compression.c
AddressSanitizer, appending a chunk after a decompression member is consumed:
Once a member is decoded
read_buffersits at a non-zero offset insideinput_buffer.flb_decompression_context_get_available_space()andflb_decompression_context_get_append_buffer()both account for that offset, butresize_buffer()reallocated tonew_sizeonly. The packed-forward path inin_forwardresizes toinput_buffer_length + lenand then copieslenbytes atget_append_buffer(), so with a non-zero read offset that copy runsread_buffer_offsetbytes past the reallocation. Reserve the offset in the reallocation and keepinput_buffer_sizein sync with it.Regression test lives in
tests/internal/compression.c; it faults under AddressSanitizer before the change and passes after.Enter
[N/A]in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
Used AddressSanitizer instead of Valgrind: the new
tests/internal/compression.cunit test built with-DSANITIZE_ADDRESS=Onreports a heap-buffer-overflow write past theresize_buffer()allocation on the unpatched tree and is clean with the fix, andflb-it-gzip/flb-it-zstdstay green.If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
ok-package-testlabel to test for all targets (requires maintainer to do).Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.
Summary by CodeRabbit
Bug Fixes
Tests