CVE-2026-46384

Integer Overflow in Avro Decoder

Summary

Description

• arrayDecoder.Decode, mapDecoder.Decode, and mapDecoderUnmarshaler.Decode summed attacker-controlled block lengths via size += int(l) and then checked size > limit. On amd64 / arm64 the running total wraps at math.MaxInt64; the post-wrap negative value passes the > limit check, and the decoder proceeds. Regression test: TestDecoder ArrayMultiBlockExceedsMaxInt uses math.MaxInt − 2 for the second block's count and a MaxSliceAllocSize of 13 to demonstrate this on amd64. The Avro block-count field is a signed long on the wire, so block counts up to math.MaxInt64 are admissible — there is no implicit 2³¹ ceiling.
• ReadBlockHeader() returns the absolute value of negative block lengths; the negation is unsafe for math.MinInt, which on every platform panics on overflow.
• ocf/ocf.go readBlock() passes the decoded block size directly to make([]byte, size). A negative wire value panics on every platform; on 32-bit, values > MaxInt32 additionally panic via the narrowing path.

Affected components

Technical details

1. Block-header narrowing and MinInt negation. ReadBlockHeader() returned wire-format int64 values through narrower operations; on 32-bit, large positives truncated. Negating math.MinInt to convert a negative block-count signal into a positive size is undefined-on-overflow, and on every platform -MinInt panics on overflow when used in subsequent arithmetic. The fix reads into a *64-suffixed local, range-checks against MinInt32/MaxInt32 (or MinInt/MaxInt as appropriate), and narrows after validation.
2. Cumulative array and map size overflow (all platforms). arrayDecoder.Decode, mapDecoder.Decode, and mapDecoderUnmarshaler.Decode summed attacker-controlled block lengths using overflow-prone addition; cumulative size could wrap before reaching the configured limit. On amd64 with MaxSliceAllocSize = 13, block 1 of 3 elements, block 2 of math.MaxInt − 2 elements: the pre-fix size += int(l) wraps to math.MinInt, then MinInt > 13 is false, so the check passes and the decoder proceeds. The fix uses subtraction-safe comparisons (l > limit - size rather than size + l > limit), which is overflow-immune.
3. Skip-length truncation. SkipString, SkipBytes, and the OCF skip helper now route through SkipNBytesInt64(), which keeps the length as int64 and range-checks before any narrowing.
4. Byte-slice length truncation. A wire-format length such as (1<<32) + 5 truncated to 5 in readBytes(), slipping past Config.MaxByteSliceSize on 32-bit. The fix reads the length as int64, compares against MaxByteSliceSize before narrowing, and returns "value is too big" if exceeded.
5. Union index narrowing (generic decode path only). Reader.ReadNext decoded the union index as int64 and immediately cast to int. On 32-bit, 1<<32 narrowed to 0 and silently selected types[0] despite the explicit upper-bound check immediately above. If types[0] is the null branch (idiomatic for ["null", T] nullable unions), the practical result is a null value where the producer encoded a non-null payload — a DoS-grade logic error. If types[0] is a non-trivial schema, downstream bytes are parsed against the wrong schema and produce well-typed but semantically wrong values; treat this as the worst-case interpretation when assessing impact on your own deployment. The typed-codec union decoder (codec union.go getUnionSchema → Reader.ReadInt) is not affected.
6. OCF block-size narrowing and negative make. readBlock() passes the decoded int64 size directly to make([]byte, size). A negative wire value panics on every platform; a value > MaxInt32 additionally panics via the 32-bit narrowing path. The fix validates the size is in [0, MaxByteSliceSize] before narrowing.

Fixed behavior

1. Read the wire value into an int64-typed local.
2. Range-check upper and lower bounds before narrowing.
3. Compare cumulative limits using subtraction-safe arithmetic.
4. Route skip operations through SkipNBytesInt64().
5. Return descriptive errors using the consistent "value is too big" / "value is too small" wording.
6. Cast to int only after validation succeeds.

Affected versions

• github.com/hamba/avro/v2 — all versions up to and including v2.31.0 (repository is read-only upstream).
• github.com/iskorotkov/avro/v2 — all versions prior to v2.33.0.

Fixed versions

Mitigation

- import "github.com/hamba/avro/v2"
+ import "github.com/iskorotkov/avro/v2"

replace github.com/hamba/avro/v2 => github.com/iskorotkov/avro/v2 v2.33.0

• Do not decode untrusted Avro data on any platform — the cumulative-arithmetic overflow paths (arrayDecoder.Decode, mapDecoder.Decode, mapDecoderUnmarshaler.Decode) are reachable on amd64 / arm64. The truncation paths on 32-bit cannot be mitigated by setting Config.MaxByteSliceSize lower, because the truncated post-narrowing value is what the limit sees, not the original wire value.
• For the cross-platform math.MinInt and OCF negative-size panic paths, wrapping Decode / OCF read calls in a goroutine with defer recover() contains the crash, but is not a substitute for upgrading. The other narrowing paths return errors rather than panicking, so recover() does nothing for them.
• Isolate decoding workers so a crash is bounded.

Proof-of-concept inputs

• A bytes or string length of (1<<32) + N for small N, which narrows to N on 32-bit and bypasses Config.MaxByteSliceSize.
• A union index of 1<<32, which narrows to 0 on 32-bit and selects types[0] despite the upper-bound check.
• An array or map encoded across multiple blocks whose cumulative element count wraps the signed int running total before the limit check fires. Demonstrated on amd64 by TestDecoder ArrayMultiBlockExceedsMaxInt: MaxSliceAllocSize = 13, block 1 of 3, block 2 of math.MaxInt − 2. Wraps to math.MinInt, check passes, decoder proceeds.
• A block header whose absolute value is math.MinInt, triggering the unsafe negation (cross-platform).
• An OCF block size that is negative on the wire, causing make([]byte, size) to panic (cross-platform); or a positive value > MaxInt32 on 32-bit, same outcome via narrowing.

References

• Initial hardening PR: iskorotkov/avro#9
• Completeness pass PR: iskorotkov/avro#10
• Fix commits: bed99b3, e1a570f
• Release: v2.33.0
• Security policy: SECURITY.md
• Related advisories on this fork: GHSA-w8j3-pq8g-8m7w (CPU exhaustion — overlaps via the same large-block-count payload shape), GHSA-mx64-mj3q-7prj (unbounded map allocation)
• Cross-module precedent on hamba/avro: GO-2023-1930 / CVE-2023-37475 / GHSA-9x44-9pgq-cf45
• Upstream (read-only): hamba/avro

Credits

• Discovery and initial fixes (PR #9, commit bed99b3 — ReadBlockHeader, cumulative array/map checks, skip helpers): Daniel Błażewicz (@klajok)
• Completeness fixes (commit e1a570f — union index, readBytes, OCF readBlock, 32-bit CI coverage): Ivan Korotkov (@iskorotkov)

Timeline

• 2026-05-04 — Initial integer-overflow hardening (PR #9, bed99b3) merged.
• 2026-05-04 — Completeness pass (e1a570f) merged; 32-bit CI job added.
• 2026-05-06 — v2.33.0 tagged and released.
• 2026-05-11 — Advisory published.
• 2026-05-15 — Advisory revised.