From c98bd88316bb91114dd06aaa21a1bdfd77ecdf23 Mon Sep 17 00:00:00 2001
From: Ivan Chesnov <ivan.chesnov@dremio.com>
Date: Tue, 20 Jun 2023 20:20:44 +0300
Subject: [PATCH 1/2] DX-61688 fixed out_len value for nullptr (#24)

---
 cpp/src/gandiva/gdv_function_stubs.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cpp/src/gandiva/gdv_function_stubs.cc b/cpp/src/gandiva/gdv_function_stubs.cc
index 67d39aeba55da..d2aeb883a3122 100644
--- a/cpp/src/gandiva/gdv_function_stubs.cc
+++ b/cpp/src/gandiva/gdv_function_stubs.cc
@@ -325,6 +325,7 @@ const char* gdv_fn_aes_encrypt(int64_t context, const char* data, int32_t data_l
     std::string err_msg =
         "Could not allocate memory for returning aes encrypt cypher text";
     gdv_fn_context_set_error_msg(context, err_msg.data());
+     *out_len = 0;
     return nullptr;
   }
 
@@ -333,6 +334,7 @@ const char* gdv_fn_aes_encrypt(int64_t context, const char* data, int32_t data_l
                                     reinterpret_cast<unsigned char*>(ret));
   } catch (const std::runtime_error& e) {
     gdv_fn_context_set_error_msg(context, e.what());
+     *out_len = 0;
     return nullptr;
   }
 
@@ -356,6 +358,7 @@ const char* gdv_fn_aes_decrypt(int64_t context, const char* data, int32_t data_l
     std::string err_msg =
         "Could not allocate memory for returning aes encrypt cypher text";
     gdv_fn_context_set_error_msg(context, err_msg.data());
+     *out_len = 0;
     return nullptr;
   }
 
@@ -364,6 +367,7 @@ const char* gdv_fn_aes_decrypt(int64_t context, const char* data, int32_t data_l
                                     reinterpret_cast<unsigned char*>(ret));
   } catch (const std::runtime_error& e) {
     gdv_fn_context_set_error_msg(context, e.what());
+     *out_len = 0;
     return nullptr;
   }
 

From ab2495b8d4d1acc912525efd443886b8b3578245 Mon Sep 17 00:00:00 2001
From: lriggs <logan.riggs@gmail.com>
Date: Wed, 28 Jun 2023 13:27:06 -0700
Subject: [PATCH 2/2] GH-36209: [Java] Upgrade Netty due to security
 vulnerability (#36211) (#27)

* GH-36209: [Java] Upgrade Netty due to security vulnerability (#36211)

Upgrading Netty dependency due to CVE https://github.com/advisories/GHSA-6mjq-h674-j845
This also requires a patch to arrow-memory

Upgrading Netty, gRPC and Protobuf dependencies

Existing tests

No

**This PR contains a "Critical Fix".**

netty-handler SniHandler 16MB allocation

The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap.

https://github.com/advisories/GHSA-6mjq-h674-j845

* Closes: #36209

Authored-by: Bryan Cutler <cutlerb@gmail.com>
Signed-off-by: David Li <li.davidm96@gmail.com>

* Restore jackson version.

---------

Signed-off-by: David Li <li.davidm96@gmail.com>
Co-authored-by: Bryan Cutler <cutlerb@gmail.com>
---
 .../main/java/io/netty/buffer/PooledByteBufAllocatorL.java  | 2 +-
 java/pom.xml                                                | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java b/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
index d0a5a9945ce20..8364b4a258889 100644
--- a/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
+++ b/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
@@ -161,7 +161,7 @@ public InnerAllocator() {
     }
 
     private UnsafeDirectLittleEndian newDirectBufferL(int initialCapacity, int maxCapacity) {
-      PoolThreadCache cache = threadCache();
+      PoolArenasCache cache = threadCache();
       PoolArena<ByteBuffer> directArena = cache.directArena;
 
       if (directArena != null) {
diff --git a/java/pom.xml b/java/pom.xml
index b9d22cdc5807b..f7295e2ce6be1 100644
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -33,9 +33,9 @@
     <dep.junit.jupiter.version>5.9.0</dep.junit.jupiter.version>
     <dep.slf4j.version>1.7.25</dep.slf4j.version>
     <dep.guava-bom.version>31.1-jre</dep.guava-bom.version>
-    <dep.netty-bom.version>4.1.82.Final</dep.netty-bom.version>
-    <dep.grpc-bom.version>1.49.1</dep.grpc-bom.version>
-    <dep.protobuf-bom.version>3.21.6</dep.protobuf-bom.version>
+    <dep.netty-bom.version>4.1.94.Final</dep.netty-bom.version>
+    <dep.grpc-bom.version>1.56.0</dep.grpc-bom.version>
+    <dep.protobuf-bom.version>3.23.1</dep.protobuf-bom.version>
     <dep.jackson-bom.version>2.13.4</dep.jackson-bom.version>
     <dep.hadoop.version>2.7.1</dep.hadoop.version>
     <dep.fbs.version>1.12.0</dep.fbs.version>