metsw24-max opened a new issue, #50067: URL: https://github.com/apache/arrow/issues/50067
When reading a Feather V1 file, `ReaderV1::LoadValues` in `cpp/src/arrow/ipc/feather.cc` reads `total_bytes` of data for a column, then carves null-bitmap, offsets, and values sub-buffers using sizes derived from `meta->length()`. That length comes from the footer flatbuffer (parsed with `GetCTable` and never verified) and is independent of the data buffer, so a file declaring a large `length` but a small `total_bytes` produces `SliceBuffer` calls that fall outside the backing buffer, and the trailing `buffer->size() - offset` underflows. The resulting oversized buffer views lead to an out-of-bounds read when the array is consumed. `SliceBuffer` only validates in debug builds, so the slices should use `SliceBufferSafe` and reject negative `length`/`null_count`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
