metsw24-max opened a new pull request, #50055:
URL: https://github.com/apache/arrow/pull/50055
### Rationale for this change
`ReadSparseCOOIndex` builds the indices `Tensor` of shape `{non_zero_length,
ndim}` over `indicesBuffer` with no size check, unlike the sibling
`ReadSparseCSXIndex`. A crafted COO message with a large `non_zero_length` and
a small buffer produces an index tensor that overruns its buffer, giving an
out-of-bounds read when the sparse tensor is consumed (for example, converted
to dense). A `non_zero_length` near `INT64_MAX` also overflows the
`non_zero_length * ndim * byte_width` size product.
### What changes are included in this PR?
A minimum-size guard on `indicesBuffer` in `ReadSparseCOOIndex`, mirroring
the existing check in `ReadSparseCSXIndex` and using `MultiplyWithOverflow` for
the size computation.
### Are these changes tested?
The guard is a no-op for the valid inputs covered by the round-trip tests in
`cpp/src/arrow/ipc/tensor_test.cc`; the rejection and overflow behaviour was
checked against a standalone reproducer of the size computation.
### Are there any user-facing changes?
Reading a malformed sparse COO tensor message now returns `Status::Invalid`
instead of constructing an out-of-bounds index tensor.
**This PR contains a "Critical Fix".** A malformed IPC SparseTensor (COO)
message could trigger an out-of-bounds read when the resulting sparse tensor is
consumed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
