Re: [PR] GH-49753: [C++][Gandiva] Fix overflow in string functions [arrow]

[via GitHub]

Copilot commented on code in PR #49813:
URL: https://github.com/apache/arrow/pull/49813#discussion_r3277977870


##########
cpp/src/gandiva/gdv_function_stubs_test.cc:
##########
@@ -1127,6 +1190,15 @@ TEST(TestGdvFnStubs, TestTranslate) {
   result = translate_utf8_utf8_utf8(ctx_ptr, "987654321", 9, "123456789", 9, 
"0123456789",
                                     10, &out_len);
   EXPECT_EQ(expected, std::string(result, out_len));
+
+  int32_t bad_in_len = std::numeric_limits<int32_t>::max() / 4 + 1;
+  out_len = -1;
+  result = translate_utf8_utf8_utf8(ctx_ptr, "\\x80BCDE", bad_in_len, "B", 1, 
"C", 1,
+                                    &out_len);

Review Comment:
   The overflow test passes `in_len = INT_MAX/4 + 1` with an input literal 
`"\\x80BCDE"`, which does **not** contain a high-bit byte (it starts with a 
backslash). `translate_utf8_utf8_utf8` scans up to `in_len` bytes looking for 
`> 127`, so this test can read far past the literal (and potentially crash/hang 
under ASan/UBSan) before the overflow check is reached. Use an input buffer 
whose first byte is actually >= 0x80 (e.g., `"\x80BCDE"` or a `std::string` 
with `char(0x80)` as the first byte) so the scan breaks immediately and the 
test reliably exercises the multibyte overflow path without OOB reads.
   



##########
cpp/src/gandiva/precompiled/string_ops.cc:
##########
@@ -2444,182 +2462,175 @@ void concat_word(char* out_buf, int* out_idx, const 
char* in_buf, int in_len,
   *out_idx += in_len;
 }
 
-FORCE_INLINE
-const char* concat_ws_utf8_utf8(int64_t context, const char* separator,
-                                int32_t separator_len, bool separator_validity,
-                                const char* word1, int32_t word1_len, bool 
word1_validity,
-                                const char* word2, int32_t word2_len, bool 
word2_validity,
-                                bool* out_valid, int32_t* out_len) {
-  *out_len = 0;
-  int numValidInput = 0;
-  // If separator is null, always return null
-  if (!separator_validity) {
-    *out_len = 0;
-    *out_valid = false;
-    return "";
-  }
+// Helper structure to maintain state during safe length accumulation
+struct SafeLengthState {
+  int32_t total_len = 0;
+  int32_t num_valid = 0;
+  bool overflow = false;
+};
+
+// Helper to safely add a word length
+static inline bool safe_accumulate_word(SafeLengthState& state, int32_t 
word_len,
+                                        bool word_validity) {
+  if (!word_validity) return true;
 
-  if (word1_validity) {
-    *out_len += word1_len;
-    numValidInput++;
+  if (word_len < 0) {
+    return false;
   }
-  if (word2_validity) {
-    *out_len += word2_len;
-    numValidInput++;
+
+  int32_t temp = 0;
+  if (ARROW_PREDICT_FALSE(
+          arrow::internal::AddWithOverflow(state.total_len, word_len, &temp))) 
{
+    state.overflow = true;
+    return false;
   }
+  state.total_len = temp;
+  state.num_valid++;
+  return true;
+}
 
-  *out_len += separator_len * (numValidInput > 1 ? numValidInput - 1 : 0);
-  if (*out_len == 0) {
-    *out_valid = true;
-    return "";
+// Helper to safely add separators based on number of valid words
+static inline bool safe_add_separators(SafeLengthState* state, int32_t 
separator_len) {
+  if (state->num_valid <= 1) return true;
+
+  int32_t sep_total = 0;
+  int32_t temp = 0;
+
+  if (ARROW_PREDICT_FALSE(arrow::internal::MultiplyWithOverflow(
+          separator_len, state->num_valid - 1, &sep_total))) {
+    state->overflow = true;
+    return false;
   }
 
-  char* out = reinterpret_cast<char*>(gdv_fn_context_arena_malloc(context, 
*out_len));
-  if (out == nullptr) {
-    gdv_fn_context_set_error_msg(context, "Could not allocate memory for 
output string");
-    *out_len = 0;
-    *out_valid = false;
-    return "";
+  if (ARROW_PREDICT_FALSE(
+          arrow::internal::AddWithOverflow(state->total_len, sep_total, 
&temp))) {
+    state->overflow = true;
+    return false;
   }
 
-  char* tmp = out;
-  int out_idx = 0;
-  bool seenAnyValidInput = false;
+  state->total_len = temp;
+  return true;
+}
 
-  concat_word(tmp, &out_idx, word1, word1_len, word1_validity, separator, 
separator_len,
-              &seenAnyValidInput);
-  concat_word(tmp, &out_idx, word2, word2_len, word2_validity, separator, 
separator_len,
-              &seenAnyValidInput);
+// Helper to handle overflow failure (sets output parameters and returns empty 
string)
+static inline const char* handle_overflow_failure(bool* out_valid, int32_t* 
out_len) {
+  *out_len = 0;
+  *out_valid = false;
+  return "";
+}
 
+// Helper to handle empty result (all words invalid)
+static inline const char* handle_empty_result(bool* out_valid, int32_t* 
out_len) {
+  *out_len = 0;
   *out_valid = true;
-  *out_len = out_idx;
-  return out;
+  return "";
 }
 
-FORCE_INLINE
-const char* concat_ws_utf8_utf8_utf8(
-    int64_t context, const char* separator, int32_t separator_len,
-    bool separator_validity, const char* word1, int32_t word1_len, bool 
word1_validity,
-    const char* word2, int32_t word2_len, bool word2_validity, const char* 
word3,
-    int32_t word3_len, bool word3_validity, bool* out_valid, int32_t* out_len) 
{
+struct WordArg {
+  const char* data;
+  int32_t len;
+  bool valid;
+};
+
+static inline const char* concat_ws_impl(int64_t context, const char* 
separator,
+                                         int32_t separator_len, bool 
separator_validity,
+                                         bool* out_valid, int32_t* out_len,
+                                         std::initializer_list<WordArg> words) 
{
   *out_len = 0;
-  int numValidInput = 0;
-  // If separator is null, always return null
+
+  // Separator validity check
   if (!separator_validity) {
-    *out_len = 0;
     *out_valid = false;
     return "";
   }
-
-  if (word1_validity) {
-    *out_len += word1_len;
-    numValidInput++;
-  }
-  if (word2_validity) {
-    *out_len += word2_len;
-    numValidInput++;
+  if (separator_len < 0) {
+    *out_valid = false;
+    return "";
   }
-  if (word3_validity) {
-    *out_len += word3_len;
-    numValidInput++;
+
+  SafeLengthState state;
+
+  // Accumulate all word lengths safely
+  for (const WordArg& w : words) {
+    if (!safe_accumulate_word(state, w.len, w.valid)) {
+      gdv_fn_context_set_error_msg(context, "Invalid word length or 
validity.");
+      *out_len = 0;
+      *out_valid = false;
+      return "";
+    }
   }
 
-  *out_len += separator_len * (numValidInput > 1 ? numValidInput - 1 : 0);
+  // Add separator lengths
+  if (!safe_add_separators(&state, separator_len)) {
+    gdv_fn_context_set_error_msg(context, "Invalid separator.");
+    return handle_overflow_failure(out_valid, out_len);

Review Comment:
   `concat_ws_impl` reports overflows using generic messages like "Invalid word 
length or validity." and "Invalid separator." even when the failure is due to 
`AddWithOverflow`/`MultiplyWithOverflow` (i.e., an output-size overflow, not an 
invalid separator value). This makes debugging harder and is inconsistent with 
other string ops in this file that use a clear overflow message (e.g., "Memory 
allocation size too large."). Consider branching on `state.overflow` to emit an 
overflow-specific message and reserving the "invalid length" message for 
negative lengths.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org