Arawoof06 opened a new issue, #50380:
URL: https://github.com/apache/arrow/issues/50380

   ### Describe the bug, including details regarding any error messages, 
version, and platform.
   
   `byte_substr_binary_int32_int32` 
(`cpp/src/gandiva/precompiled/string_ops.cc`) computes `startPos` from the 
offset argument but never checks that it lands inside the input. With a 
positive `offset` greater than `text_len`, `startPos = offset - 1 >= text_len`, 
and the length truncation
   
   ```c++
   if (startPos + length > text_len) {
     *out_len = text_len - startPos;   // negative
   }
   memcpy(ret, text + startPos, *out_len);
   ```
   
   produces a negative `*out_len`. `memcpy` reads that as a very large 
`size_t`, so it reads past the end of `text` and writes past the 
`text_len`-sized output buffer.
   
   Reproduced with a verbatim copy of the function under AddressSanitizer using 
`byte_substr("TestString", 10, offset=15, length=10)`:
   
   ```
   ERROR: AddressSanitizer: negative-size-param: (size=-4)
       #2 byte_substr_binary_int32_int32 string_ops.cc
   0x... is located 4 bytes after 10-byte region
   SUMMARY: AddressSanitizer: negative-size-param in 
byte_substr_binary_int32_int32
   ```
   
   The offset comes from user SQL, so any `byte_substr(col, n, m)` with `n` 
beyond the row length triggers it.
   
   ### Component(s)
   
   C++, Gandiva


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to