Fix Integer overflow in Poco::UTF32Encoding

[anfedotoff]

Changelog category (leave one):

• Bug Fix (user-visible misbehavior in an official stable release)

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

• Fix Integer overflow in Poco::UTF32Encoding

Patch from this issue.

[CLAassistant]

All committers have signed the CLA.

[robot-ch-test-poll2]

This is an automated comment for commit 341806d with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Successful checks

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	✅ success
ClickBench	Runs [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table	✅ success
ClickHouse build check	Builds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker image for servers	The check to build and optionally push the mentioned image to docker hub	✅ success
Docs check	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integrational tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	✅ success
Mergeable Check	Checks if all other necessary checks are successful	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
SQLTest	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
SQLancer	Fuzzing tests that detect logical bugs with SQLancer tool	✅ success
Sqllogic	Run clickhouse on the sqllogic test set against sqlite and checks that all statements are passed	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Style Check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success

Check name	Description	Status
CI running	A meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR	⏳ pending
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	❌ failure
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	❌ failure
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	❌ failure

[anfedotoff]

@nickitat, is it possible to update the last release after merge, or create the new patch release?

[Algunenano]

is it possible to update the last release after merge, or create the new patch release?

Is this a bugfix that needs to be backported? It's tagged as Not for changelog and it doesn't have tests that reproduce the incorrect behaviour that's being changed.

[anfedotoff]

is it possible to update the last release after merge, or create the new patch release?

Is this a bugfix that needs to be backported? It's tagged as Not for changelog and it doesn't have tests that reproduce the incorrect behaviour that's being changed.

In POCO it is a security issue. I couldn't say how it affects ClickHouse, but maybe it's better to update.

[Algunenano]

I've tested removing the following functions:

-    int convert(const unsigned char * bytes) const;
-    int convert(int ch, unsigned char * bytes, int length) const;
-    int queryConvert(const unsigned char * bytes, int length) const;

CH still builds and runs. It seems CH doesn't use these functions, so no need to backport.

[Algunenano]

I was wrong and the code still might be used. It seems POCO code doesn't go through normal linters and doesn't declare override, so those methods would still exists (from the parent class) when I deleted them.

[anfedotoff]

I was wrong and the code still might be used. It seems POCO code doesn't go through normal linters and doesn't declare override, so those methods would still exists (from the parent class) when I deleted them.

Do we need just to change tag for backporting this patch, or we need to prove reachability first?

[Algunenano]

Let me start by saying that is my opinion:

• We can start by tagging this as a bugfix and mark it to be backported. Minor patches will be released in a normal fashion (best effort as with other bugfixes).
• If you can prove reachability or that it means a security problem, you can report it (https://github.com/ClickHouse/ClickHouse/blob/master/SECURITY.md) to security@clickhouse.com and the process will go from there (reviewing impact, affected releases, ensure patch releases are done ASAP, etc).

Does that make sense to you?

[anfedotoff]

Let me start by saying that is my opinion:

• We can start by tagging this as a bugfix and mark it to be backported. Minor patches will be released in a normal fashion (best effort as with other bugfixes).
• If you can prove reachability or that it means a security problem, you can report it (https://github.com/ClickHouse/ClickHouse/blob/master/SECURITY.md) to security@clickhouse.com and the process will go from there (reviewing impact, affected releases, ensure patch releases are done ASAP, etc).

Does that make sense to you?

Let's tag it as bugfix and mark it to be backported. A little bit later I'll try to investigate the reachability.

[Algunenano]

Failures:

• Stateless tests (release, DatabaseReplicated) [2/4] -> 02567_and_consistency. Already fixed in master.
• Stress test (tsan). Stuck query (S3::S3Client::GetObject -> AttemptExhaustively -> RetryRequestSleep). I'll create a ticket
• Upgrade test failures due to is_deleted feature removal.