From 416a18be7516fc69a251be6792c5756714694dfd Mon Sep 17 00:00:00 2001
From: ffacs <ffacs520@gmail.com>
Date: Tue, 12 May 2026 10:37:47 +0800
Subject: [PATCH] ORC-2165: [C++] Fix bounds check for LZO stop command trailer

---
 c++/src/LzoDecompressor.cc    |  5 ++++-
 c++/test/TestDecompression.cc | 30 ++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/c++/src/LzoDecompressor.cc b/c++/src/LzoDecompressor.cc
index 68e25425c2..cc03adb3db 100644
--- a/c++/src/LzoDecompressor.cc
+++ b/c++/src/LzoDecompressor.cc
@@ -365,7 +365,10 @@ namespace orc {
         lastLiteralLength = literalLength;
       }
 
-      if (input + SIZE_OF_SHORT > inputLimit && *reinterpret_cast<const int16_t*>(input) != 0) {
+      if (input + SIZE_OF_SHORT > inputLimit) {
+        throw MalformedInputException(input - inputAddress);
+      }
+      if (input[0] != 0 || input[1] != 0) {
         throw MalformedInputException(input - inputAddress);
       }
       input += SIZE_OF_SHORT;
diff --git a/c++/test/TestDecompression.cc b/c++/test/TestDecompression.cc
index ecf0d3d5b6..08ef50ab3c 100644
--- a/c++/test/TestDecompression.cc
+++ b/c++/test/TestDecompression.cc
@@ -357,6 +357,36 @@ namespace orc {
     ASSERT_TRUE(!result->Next(&ptr, &length));
   }
 
+  TEST_F(TestDecompression, testLzoTruncatedStopCommand) {
+    const unsigned char missingTrailer[] = {0x02, 0x00, 0x00, 0x11};
+    std::unique_ptr<SeekableInputStream> missingTrailerResult = createDecompressor(
+        CompressionKind_LZO,
+        std::make_unique<SeekableArrayInputStream>(missingTrailer, ARRAY_SIZE(missingTrailer)),
+        128 * 1024, *getDefaultPool(), getDefaultReaderMetrics());
+
+    const void* ptr;
+    int length;
+    EXPECT_THROW(
+        {
+          bool next = missingTrailerResult->Next(&ptr, &length);
+          static_cast<void>(next);
+        },
+        ParseError);
+
+    const unsigned char shortTrailer[] = {0x04, 0x00, 0x00, 0x11, 0x00};
+    std::unique_ptr<SeekableInputStream> shortTrailerResult = createDecompressor(
+        CompressionKind_LZO,
+        std::make_unique<SeekableArrayInputStream>(shortTrailer, ARRAY_SIZE(shortTrailer)),
+        128 * 1024, *getDefaultPool(), getDefaultReaderMetrics());
+
+    EXPECT_THROW(
+        {
+          bool next = shortTrailerResult->Next(&ptr, &length);
+          static_cast<void>(next);
+        },
+        ParseError);
+  }
+
   TEST_F(TestDecompression, testLzoLong) {
     // set up a framed lzo buffer with 100,000 'a'
     unsigned char buffer[482];