Copilot commented on code in PR #41870:
URL: https://github.com/apache/arrow/pull/41870#discussion_r3503950237


##########
cpp/src/arrow/tensor.cc:
##########
@@ -367,42 +412,42 @@ Status RecordBatchToTensor(const RecordBatch& batch, bool 
null_to_nan, bool row_
   }
 
   // Allocate memory
-  ARROW_ASSIGN_OR_RAISE(
-      std::shared_ptr<Buffer> result,
-      AllocateBuffer(result_type->bit_width() * batch.num_columns() * 
batch.num_rows(),
-                     pool));
+  ARROW_ASSIGN_OR_RAISE(std::shared_ptr<Buffer> result,
+                        AllocateBuffer(result_type->byte_width() *
+                                           container.num_columns() * 
container.num_rows(),
+                                       pool));

Review Comment:
   The buffer allocation size calculation can overflow due to intermediate 
32-bit `int` multiplication (`byte_width() * num_columns()`), which can lead to 
under-allocation and subsequent out-of-bounds writes when filling the tensor 
for very wide tables/batches. Compute the size in `int64_t` and use 
overflow-checked multiplication (similar to the stride helpers) before calling 
`AllocateBuffer`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to