Describe the bug
set_error_for_date() in cpp/src/gandiva/precompiled/time.cc builds the error message for an invalid date/timestamp with:
int size = length + static_cast<int>(strlen(msg)) + 1;
char* error = reinterpret_cast<char*>(malloc(size));
snprintf(error, size, "%s%s", msg, input);
input is a Gandiva string given as pointer + length; it is not NUL-terminated (string values are stored contiguously in the Arrow values buffer). The %s conversion scans input for a NUL terminator, so it reads past the length bytes and, for the last value in a buffer, past the buffer end.
It is reached from castDATE_utf8 / castTIMESTAMP_utf8 (i.e. CAST(str AS DATE/TIMESTAMP)) whenever the input is not a valid date/timestamp, which is fully attacker-controlled.
Every other error formatter in the precompiled sources uses the bounded %.*s form with the explicit length. Using it here fixes the over-read.
Component(s)
C++, Gandiva
Describe the bug
set_error_for_date()incpp/src/gandiva/precompiled/time.ccbuilds the error message for an invalid date/timestamp with:inputis a Gandiva string given as pointer +length; it is not NUL-terminated (string values are stored contiguously in the Arrow values buffer). The%sconversion scansinputfor a NUL terminator, so it reads past thelengthbytes and, for the last value in a buffer, past the buffer end.It is reached from
castDATE_utf8/castTIMESTAMP_utf8(i.e.CAST(str AS DATE/TIMESTAMP)) whenever the input is not a valid date/timestamp, which is fully attacker-controlled.Every other error formatter in the precompiled sources uses the bounded
%.*sform with the explicit length. Using it here fixes the over-read.Component(s)
C++, Gandiva