metsw24-max opened a new pull request, #50064: URL: https://github.com/apache/arrow/pull/50064
### Rationale for this change `ValidateTensorParameters` in cpp/src/arrow/tensor.cc only runs the `CheckTensorStridesValidity` buffer-overrun guard when strides are passed explicitly. With implicit (row-major) strides it computes strides for overflow but never checks the data buffer is large enough for the shape, so a tensor whose shape exceeds its buffer is accepted and later read out of bounds. This is reachable from IPC `ReadTensor`, where the shape comes from the flatbuffer and the body size is independent of it. ### What changes are included in this PR? Run `CheckTensorStridesValidity` on the computed row-major strides too. ### Are these changes tested? Added a case to `TestTensor.MakeFailureCases`. ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** Crafted IPC tensor metadata (or any caller building a row-major tensor over an undersized buffer) bypassed the bounds check, enabling an out-of-bounds read. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
