Arawoof06 opened a new issue, #50355:
URL: https://github.com/apache/arrow/issues/50355

   ### Describe the bug, including details regarding any error messages, 
version, and platform.
   
   `utf8_length_ignore_invalid` in `cpp/src/gandiva/precompiled/string_ops.cc` 
counts glyphs while tolerating invalid bytes. When it hits a byte that is not a 
valid continuation byte it extends `char_len`:
   
   ```cpp
   for (int j = 1; j < char_len; ++j) {
     if ((data[i + j] & 0xC0) != 0x80) {
       char_len += 1;
     }
   }
   ```
   
   The inner loop keeps reading `data[i + j]` as `char_len` grows, but it never 
rechecks the buffer end. If a value ends in a truncated multi-byte sequence 
(for example a `0xF0` lead byte followed by non-continuation bytes) `char_len` 
grows past the remaining bytes and the loop reads past `data_len`.
   
   The function is reached from untrusted string data through `lpad`/`rpad` 
(`lpad_utf8_int32_utf8`, `rpad_utf8_int32_utf8`), which call it on the input 
text before computing padding.
   
   Reproduced against a verbatim copy of the function under AddressSanitizer 
with the 4-byte input `{0xF0, 'a', 'a', 'a'}` in an exactly-sized heap buffer:
   
   ```
   ==ERROR: AddressSanitizer: heap-buffer-overflow
   READ of size 1 ... 0 bytes after 4-byte region
       #0 utf8_length_ignore_invalid
   ```
   
   The sibling helpers (`utf8_length`, `reverse_utf8`, `utf8_byte_pos`) already 
guard the equivalent access with `i + char_len > data_len`; this one does not.
   
   ### Component(s)
   
   C++, Gandiva
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to