metsw24-max opened a new issue, #49884: URL: https://github.com/apache/arrow/issues/49884
### Describe the bug, including details regarding any error messages, version, and platform. ### Describe the bug BufferBuilder and TypedBufferBuilder perform unchecked integer arithmetic in size calculations such as: - size_ + additional_bytes - num_elements * sizeof(T) These operations can overflow, leading to incorrect buffer size calculations. ### To Reproduce The issue can be triggered through JSON parsing, where untrusted input controls array sizes, string lengths, and element counts. These values are propagated to BufferBuilder and TypedBufferBuilder. ### Expected behavior Buffer size calculations should be overflow-safe and reject invalid or excessively large inputs. ### Actual behavior Overflow in size computations may wrap around, resulting in under-allocation of buffers and potential out-of-bounds writes. ### Additional context This affects code paths used by the JSON parser (parser.cc), meaning untrusted input can reach these unsafe operations. ### Component(s) C++ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
