ARROW-7999: [C++] Fix crash on corrupt List / Map array input

Found by OSS-Fuzz. Should fix the following issues: * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20284 * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21039 Closes #6534 from pitrou/ARROW-7999-fuzz-fix and squashes the following commits: 5b3bfdf <Antoine Pitrou> ARROW-7999: Fix crash on corrupt List / Map array input Authored-by: Antoine Pitrou <[email protected]> Signed-off-by: Antoine Pitrou <[email protected]>
apache · Mar 5, 2020 · 245091c · 245091c
1 parent c2344cf
commit 245091c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 33 deletions.
diff --git a/cpp/src/arrow/array/validate.cc b/cpp/src/arrow/array/validate.cc
@@ -79,44 +79,23 @@ struct ValidateArrayVisitor {
     if (!array.keys()) {
       return Status::Invalid("keys is null");
     }
-    const Status key_valid = ValidateArray(*array.keys());
-    if (!key_valid.ok()) {
-      return Status::Invalid("key array invalid: ", key_valid.ToString());
-    }
-
-    if (array.length() > 0 && !array.values()) {
-      return Status::Invalid("values is null");
-    }
-    const Status values_valid = ValidateArray(*array.values());
-    if (!values_valid.ok()) {
-      return Status::Invalid("values array invalid: ", values_valid.ToString());
-    }
-
-    const int32_t last_offset = array.value_offset(array.length());
-    if (array.values()->length() != last_offset) {
-      return Status::Invalid("Final offset invariant not equal to values length: ",
-                             last_offset, "!=", array.values()->length());
-    }
-    if (array.keys()->length() != last_offset) {
-      return Status::Invalid("Final offset invariant not equal to keys length: ",
-                             last_offset, "!=", array.keys()->length());
-    }
-
-    return ValidateOffsets(array);
+    return ValidateListArray(array);
   }
 
   Status Visit(const FixedSizeListArray& array) {
-    if (array.length() > 0 && !array.values()) {
+    const int64_t len = array.length();
+    const int64_t value_size = array.value_length();
+    if (len > 0 && !array.values()) {
       return Status::Invalid("values is null");
     }
-    if (array.value_length() < 0) {
-      return Status::Invalid("FixedSizeListArray has negative value length ",
-                             array.value_length());
+    if (value_size < 0) {
+      return Status::Invalid("FixedSizeListArray has negative value size ", value_size);
     }
-    if (array.values()->length() != array.length() * array.value_length()) {
-      return Status::Invalid(
-          "Values Length (", array.values()->length(), ") is not equal to the length (",
-          array.length(), ") multiplied by the list size (", array.value_length(), ")");
+    if (HasMultiplyOverflow(len, value_size) ||
+        array.values()->length() != len * value_size) {
+      return Status::Invalid("Values Length (", array.values()->length(),
+                             ") is not equal to the length (", len,
+                             ") multiplied by the value size (", value_size, ")");
     }
 
     return Status::OK();

diff --git a/testing b/testing
+ −		data/arrow-ipc-stream/clusterfuzz-testcase-minimized-arrow-ipc-stream-fuzz-5089431154589696
+ −		data/arrow-ipc-stream/clusterfuzz-testcase-minimized-arrow-ipc-stream-fuzz-5144746570022912