Describe the bug
to_hex_int64 and to_hex_int32 in cpp/src/gandiva/precompiled/string_ops.cc allocate the arena buffer with exactly the maximum number of hex digits (2 * sizeof(int64_t) = 16, 2 * sizeof(int32_t) = 8), but then call snprintf with a size of that value + 1. For a value that uses the full digit width (e.g. to_hex(-1::bigint) → FFFFFFFFFFFFFFFF, or INT64_MIN/INT32_MIN), snprintf writes all digits plus a trailing NUL, i.e. one byte past the end of the allocation.
gdv_fn_context_arena_malloc hands out exactly the requested number of bytes from the arena, so the NUL terminator corrupts the adjacent arena allocation (out-of-bounds write).
This is the same off-by-one that was just fixed for gdv_hash_using_openssl in #49780 / GH-49752; these two functions were missed.
Component(s)
C++, Gandiva
Describe the bug
to_hex_int64andto_hex_int32incpp/src/gandiva/precompiled/string_ops.ccallocate the arena buffer with exactly the maximum number of hex digits (2 * sizeof(int64_t)= 16,2 * sizeof(int32_t)= 8), but then callsnprintfwith a size of that value+ 1. For a value that uses the full digit width (e.g.to_hex(-1::bigint)→FFFFFFFFFFFFFFFF, orINT64_MIN/INT32_MIN), snprintf writes all digits plus a trailing NUL, i.e. one byte past the end of the allocation.gdv_fn_context_arena_mallochands out exactly the requested number of bytes from the arena, so the NUL terminator corrupts the adjacent arena allocation (out-of-bounds write).This is the same off-by-one that was just fixed for
gdv_hash_using_opensslin #49780 / GH-49752; these two functions were missed.Component(s)
C++, Gandiva