From 5be92c41e0d487d4f729db568001df91612dc3b0 Mon Sep 17 00:00:00 2001
From: dxbjavid <dxbjavid@gmail.com>
Date: Sat, 13 Jun 2026 17:39:53 +0530
Subject: [PATCH 1/2] fix off-by-ten header bounds check in readHeaderFormat

---
 .../src/thrift/transport/THeaderTransport.cpp |  5 +++-
 lib/cpp/test/ThrifttReadCheckTests.cpp        | 23 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/lib/cpp/src/thrift/transport/THeaderTransport.cpp b/lib/cpp/src/thrift/transport/THeaderTransport.cpp
index 70510d95c45..cdf29cf3d53 100644
--- a/lib/cpp/src/thrift/transport/THeaderTransport.cpp
+++ b/lib/cpp/src/thrift/transport/THeaderTransport.cpp
@@ -222,7 +222,10 @@ void THeaderTransport::readHeaderFormat(uint16_t headerSize, uint32_t sz) {
   }
   headerSize *= 4;
   const uint8_t* const headerBoundary = ptr + headerSize;
-  if (headerSize > sz) {
+  // ptr already skips the 10-byte common header, so the header section has to
+  // fit in the remaining sz - 10 bytes; comparing against sz alone let the
+  // boundary sit up to 10 bytes past the receive buffer.
+  if (headerSize > sz - 10) {
     throw TTransportException(TTransportException::CORRUPTED_DATA,
                               "Header size is larger than frame");
   }
diff --git a/lib/cpp/test/ThrifttReadCheckTests.cpp b/lib/cpp/test/ThrifttReadCheckTests.cpp
index d62f66330ad..7abcff8bd32 100644
--- a/lib/cpp/test/ThrifttReadCheckTests.cpp
+++ b/lib/cpp/test/ThrifttReadCheckTests.cpp
@@ -31,6 +31,7 @@
 #include <memory>
 #include <thrift/transport/TTransportUtils.h>
 #include <thrift/transport/TBufferTransports.h>
+#include <thrift/transport/THeaderTransport.h>
 #include <thrift/transport/TSimpleFileTransport.h>
 #include <thrift/transport/TFileTransport.h>
 #include <thrift/protocol/TEnum.h>
@@ -317,4 +318,26 @@ BOOST_AUTO_TEST_CASE(test_tthriftjsonprotocol_read_check_exception) {
   protocol->readMapEnd();
 }
 
+BOOST_AUTO_TEST_CASE(test_theadertransport_header_size_exceeds_frame) {
+  using apache::thrift::transport::THeaderTransport;
+  // Header-format frame whose declared header size (3 * 4 = 12) leaves fewer
+  // than the 10 common-header bytes inside the 14-byte frame. The trailing
+  // varint bytes are all continuation bytes, so the reader used to run off the
+  // end of the receive buffer.
+  uint8_t frame[] = {
+      0x00, 0x00, 0x00, 0x0E, // frame length = 14
+      0x0F, 0xFF, 0x00, 0x00, // header magic
+      0x00, 0x00, 0x00, 0x00, // seqId
+      0x00, 0x03,             // header size field (3 -> 12 bytes)
+      0x02,                   // protocol id varint
+      0x00,                   // num transforms = 0
+      0x80, 0x80              // info-header varint, all continuation
+  };
+  std::shared_ptr<TMemoryBuffer> buffer(new TMemoryBuffer(frame, sizeof(frame)));
+  std::shared_ptr<THeaderTransport> trans(new THeaderTransport(buffer));
+
+  uint8_t out[1];
+  BOOST_CHECK_THROW(trans->read(out, sizeof(out)), TTransportException);
+}
+
 BOOST_AUTO_TEST_SUITE_END()

From 28b7cb6c1457b8c9ae24bfdb142e6617714dafee Mon Sep 17 00:00:00 2001
From: Jens Geyer <jensg@apache.org>
Date: Mon, 15 Jun 2026 23:27:25 +0200
Subject: [PATCH 2/2] link UnitTests against libthriftz to resolve
 THeaderTransport vtable

THeaderTransport.cpp is compiled into libthriftz, not libthrift.
Without this link, the new THeaderTransport test case produces an
undefined reference to the vtable at link time.

Client: cpp

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 lib/cpp/test/Makefile.am | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/cpp/test/Makefile.am b/lib/cpp/test/Makefile.am
index 234dd0b9964..b0711c4f530 100644
--- a/lib/cpp/test/Makefile.am
+++ b/lib/cpp/test/Makefile.am
@@ -146,6 +146,7 @@ UnitTests_SOURCES = \
 
 UnitTests_LDADD = \
   libtestgencpp.la \
+  $(top_builddir)/lib/cpp/libthriftz.la \
   $(BOOST_TEST_LDADD) \
   $(BOOST_SYSTEM_LDADD) \
   $(BOOST_THREAD_LDADD)