Skip to content

[C++][Gandiva] Out-of-bounds read when formatting invalid date/timestamp error messages #50440

Description

@Arawoof06

Describe the bug

set_error_for_date() in cpp/src/gandiva/precompiled/time.cc builds the error message for an invalid date/timestamp with:

int size = length + static_cast<int>(strlen(msg)) + 1;
char* error = reinterpret_cast<char*>(malloc(size));
snprintf(error, size, "%s%s", msg, input);

input is a Gandiva string given as pointer + length; it is not NUL-terminated (string values are stored contiguously in the Arrow values buffer). The %s conversion scans input for a NUL terminator, so it reads past the length bytes and, for the last value in a buffer, past the buffer end.

It is reached from castDATE_utf8 / castTIMESTAMP_utf8 (i.e. CAST(str AS DATE/TIMESTAMP)) whenever the input is not a valid date/timestamp, which is fully attacker-controlled.

Every other error formatter in the precompiled sources uses the bounded %.*s form with the explicit length. Using it here fixes the over-read.

Component(s)

C++, Gandiva

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions