abtom87 opened a new issue, #49973: URL: https://github.com/apache/arrow/issues/49973
### Describe the bug, including details regarding any error messages, version, and platform. Description: Two issues remain from PR #49813 review: Overflow check happens after potential overflow: In quote_utf8 and to_hex_binary, the code computes (2 * in_len) or (2 * text_len) before passing to AddWithOverflow. When the input length exceeds INT32_MAX/2, signed integer overflow occurs before the overflow check runs, causing undefined behavior. Should use MultiplyWithOverflow first, then AddWithOverflow for the additional bytes. Negative length validation gap in concat_ws: The safe_accumulate_word() function returns false for negative lengths, but concat_ws_impl() only checks state.overflow in the loop. Negative valid lengths can slip through to concat_word() where they're passed to memcpy() as a huge size_t, causing out-of-bounds reads/writes. Need explicit negative length checks with proper error handling. References: https://github.com/apache/arrow/pull/49813#discussion_r3147133880 (quote_utf8 overflow) https://github.com/apache/arrow/pull/49813#discussion_r3149811773 (concat_ws negative lengths) ### Component(s) C++ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
