Fix: Integer Truncation in PatternLayout causing heap corruption with large logs#584
Closed
OxBat wants to merge 2 commits intoapache:masterfrom
Closed
Fix: Integer Truncation in PatternLayout causing heap corruption with large logs#584OxBat wants to merge 2 commits intoapache:masterfrom
OxBat wants to merge 2 commits intoapache:masterfrom
Conversation
The explicit cast to (int) caused negative indexing when processing log messages larger than 2GB on 64-bit systems, leading to potential heap corruption. Changed startField type to size_t.
rm5248
reviewed
Jan 29, 2026
| { | ||
| int startField = (int)output.length(); | ||
| // Fix integer truncation vulnerability (size_t to int cast) | ||
| size_t startField = output.length(); |
Contributor
There was a problem hiding this comment.
it looks like you have some odd indentation here.
the comment is also not helpful, can we remove it?
Contributor
Author
There was a problem hiding this comment.
I've removed the comment and fixed the indentation
Contributor
|
The proposed change does not correct the problem as the truncation still occurs when passing I suggest the correct solution is not calling |
Contributor
|
Resolved by #593 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
I identified a critical integer truncation vulnerability in
PatternLayout::format. The code explicitly casts the 64-bit buffer length (size_t) to a signed 32-bit integer (int).On 64-bit systems, if a log message exceeds 2GB (e.g., large JSON dumps or accumulated stack traces), the length wraps around to a negative number. This negative index is then passed to downstream formatters, leading to out-of-bounds memory access (heap corruption) or segmentation faults.
Technical Analysis
In
src/main/cpp/patternlayout.cpp(around line 130):When
output.length()>INT_MAX,startFieldbecomes negative. This startField is subsequently used for pointer arithmetic or string indexing inFormattingInfo, causing the crash.Remediation
This patch removes the unsafe cast and updates the variable type to size_t to correctly handle the return type of
std::string::length().Steps to Reproduce (Logic)
PatternLayoutwith%m.inttruncates the size, resulting in a negative offset.