zanmato1984 opened a new issue, #43414: URL: https://github.com/apache/arrow/issues/43414
### Describe the bug, including details regarding any error messages, version, and platform. When resizing the underlying buffer for the var-length content of the row table, we do: https://github.com/apache/arrow/blob/674e221f41c602c8f71c7a2c8e53e7c7c11b1ede/cpp/src/arrow/compute/row/row_internal.cc#L296-L299 It is treating the second buffer (row content if the row table is fixed length, or offset otherwise) as offset regardless of the fix-length-ness. The fix-length-ness is checked afterwards, in which case resizing the var-length buffer is unnecessary and return. But treating the second buffer as offset unconditionally is problematic because, at least but not last, it could be sized less than required by an offset buffer. Consider a row table containing only one `uint8` column and alignment being `1` byte, there will be `1` byte per row, less than `4` bytes per row as an offset, causing the offset access beyond the buffer boundary. I have a repro case in my local and will send out as UT with my fix PR. ### Component(s) C++ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@arrow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
