Hi Adam,
The validation was significantly enhanced in git master. In particular, Array::ValidateFull() will validate data more or less extensively. I wouldn't be surprised if not everything is validated, though. Feel free to open JIRA tickets about missing validation checks. However, if you are in control of the current process, then you can pretty much craft an invalid array in all kinds of manners. The main security boundary is the IPC layer and other file format implementations (CSV, Parquet...). Regards Antoine. Le 18/12/2019 à 17:42, Adam Hooper a écrit : > My project parses Arrow files produced by untrusted code. > > It looks to me like the "validate" function should help me avoid undefined > behavior given an invalid Arrow file. I found a bug in the function: even > after validation, an invalid Arrow file can trigger undefined behavior. > > Is security a goal of the Arrow project/format? If so, how shall I report > this bug without endangering other users in my situation? > > Enjoy life, > Adam >
