Commit d091957
authored
### Rationale for this change
`to_hex_int64` and `to_hex_int32` in `cpp/src/gandiva/precompiled/string_ops.cc` allocate the arena buffer with the bare hex-digit count (16 and 8 bytes) but pass that size + 1 as the `snprintf` bound. For any full-width value (`to_hex(-1::bigint)` -> `FFFFFFFFFFFFFFFF`, `INT64_MIN`, `INT32_MIN`, ...) `snprintf` writes all digits plus the trailing NUL, one byte past the end of the allocation. `gdv_fn_context_arena_malloc` returns exactly the requested bytes, so the NUL corrupts the adjacent arena allocation. Reachable from the `to_hex(bigint)` / `to_hex(int)` Gandiva functions over untrusted column data.
### What changes are included in this PR?
Allocate one extra byte in both functions so the allocation matches the `snprintf` bound, the same fix as GH-49752 applied to the identical pattern in `hash_utils.cc`.
### Are these changes tested?
Yes. The existing `TestToHexInt64` / `TestToHexInt32` cases already exercise the full-width path (`INT64_MIN`, `INT32_MIN`, -1) and run clean under ASAN with this change. Output behaviour is unchanged.
### Are there any user-facing changes?
No.
**This PR contains a "Critical Fix".** It fixes a one-byte out-of-bounds heap write reachable from the `to_hex` Gandiva functions over untrusted input.
* GitHub Issue: #50075
Authored-by: metsw24-max <metsw24@gmail.com>
Signed-off-by: Sutou Kouhei <kou@clear-code.com>
1 parent cffe22d commit d091957
1 file changed
Lines changed: 5 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2895 | 2895 | | |
2896 | 2896 | | |
2897 | 2897 | | |
2898 | | - | |
2899 | | - | |
| 2898 | + | |
| 2899 | + | |
| 2900 | + | |
2900 | 2901 | | |
2901 | 2902 | | |
2902 | 2903 | | |
| |||
2912 | 2913 | | |
2913 | 2914 | | |
2914 | 2915 | | |
2915 | | - | |
| 2916 | + | |
| 2917 | + | |
2916 | 2918 | | |
2917 | 2919 | | |
2918 | 2920 | | |
| |||
0 commit comments