[PR] Fix integer overflow in BufferBuilder reachable from JSON parsing [arrow]

Tue, 28 Apr 2026 04:49:48 -0700 


metsw24-max opened a new pull request, #49883:
URL: https://github.com/apache/arrow/pull/49883

   ### Rationale for this change
   
   `BufferBuilder` and `TypedBufferBuilder` perform size calculations that are 
reachable from JSON parsing of untrusted input. These calculations previously 
used unchecked integer arithmetic (e.g., `size_ + additional_bytes`, 
`num_elements * sizeof(T)`), which can overflow.
   
   Since the JSON parser constructs arrays, strings, and offsets based on input 
data, an attacker can influence these values. Overflow in these calculations 
can result in incorrect buffer sizing and unsafe memory operations.
   
   
   ### What changes are included in this PR?
   
   - Added overflow-safe arithmetic using `internal::AddWithOverflow` and 
`internal::MultiplyWithOverflow` for:
     - `size_ + additional_bytes`
     - `num_elements * sizeof(T)`
     - capacity growth logic
   
   - Added validation for negative inputs across:
     - `Append`
     - `Reserve`
     - `Resize`
     - `Advance`
     - `FinishWithLength`
   
   - Hardened `GrowByFactor` to prevent overflow when doubling capacity
   
   - Updated `TypedBufferBuilder` to safely compute byte sizes from element 
counts
   
   - Added regression tests covering:
     - negative values
     - addition overflow
     - multiplication overflow
   
   
   ### Are these changes tested?
   
   Yes.
   
   New tests were added to:
   - Validate rejection of negative inputs
   - Detect overflow conditions in both `BufferBuilder` and `TypedBufferBuilder`
   - Ensure proper error handling (`Invalid`, `CapacityError`) instead of 
undefined behavior
   
   
   ### Are there any user-facing changes?
   
   No functional changes for valid inputs.
   
   Invalid inputs (e.g., negative sizes or values causing overflow) that 
previously resulted in undefined behavior are now explicitly rejected with 
clear error statuses.
   
   
   **This PR contains a "Critical Fix".**
   
   Unchecked integer arithmetic in buffer size calculations could overflow when 
processing untrusted JSON input. This may result in under-allocation of buffers 
followed by writes of larger logical sizes, leading to potential out-of-bounds 
memory writes and undefined behavior.
   
   This patch ensures all such arithmetic is validated, preventing incorrect 
buffer sizing and eliminating this class of memory safety issues.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to