Arawoof06 opened a new pull request, #50463: URL: https://github.com/apache/arrow/pull/50463
### Rationale for this change The multi-byte branch of `translate_utf8_utf8_utf8` (taken whenever the input, FROM, or TO contains a byte > 127) reads `gdv_fn_utf8_char_length` on a lead byte and then builds a `std::string` of that width from the buffer without checking how many bytes remain. A truncated trailing glyph in the input reads past IN, a multi-byte input character missing from FROM reads one byte past FROM at the end-of-list sentinel (the `from_for == from_len` check ran after the read), and a truncated glyph in TO reads past TO. All three are reachable from the SQL `translate(in, from, to)` call on truncated column data. ### What changes are included in this PR? Clamp each utf8 character width to the bytes left in its buffer before copying, consuming a single byte on a truncated or invalid lead byte (which also stops a zero-width advance from looping forever), and move the FROM end-of-list check ahead of the read so the sentinel iteration no longer touches `from[from_len]`. Valid input keeps its existing grouping since the clamp only fires past the end. ### Are these changes tested? Yes. Added two cases to `TestGdvFnStubs.TestTranslate`: a truncated trailing glyph in the input, and a valid multi-byte input char absent from FROM. Both use exact-sized buffers so ASAN trips on the pre-patch over-read and passes after the fix. ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** It fixes a heap out-of-bounds read (crash) in `translate` reachable from user-supplied string data. * GitHub Issue: #50462 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
