metsw24-max opened a new issue, #50063:
URL: https://github.com/apache/arrow/issues/50063
When `Tensor::Make` is called without explicit strides,
`ValidateTensorParameters` (cpp/src/arrow/tensor.cc) only computes row-major
strides and never verifies the data buffer is large enough for the shape. The
buffer-overrun guard in `CheckTensorStridesValidity` runs only when strides are
supplied. A row-major tensor whose shape exceeds its backing buffer is
accepted, leading to out-of-bounds reads when the tensor is consumed.
This is reachable from IPC `ReadTensor`: the shape comes from the Tensor
flatbuffer and the data is the message body, whose size is independent of the
shape, and the flatbuffer commonly omits strides (row-major).
```c++
auto data = Buffer::Wrap(std::vector<double>{1, 2}); // 16 bytes
// shape needs 3*100*8 = 2400 bytes; currently returns OK
auto t = Tensor::Make(float64(), data, {3, 100});
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
