[C++][IPC] Possible int64 overflow in ReadSparseCSXIndex buffer size validation

### Describe the bug, including details regarding any error messages, version, and platform.

In `cpp/src/arrow/ipc/reader.cc`, `ReadSparseCSXIndex` validates that the IPC SparseTensor `indices`/`indptr` buffers are large enough for the claimed shape using `int64` products:

```cpp
const auto indices_minimum_bytes = indices_shape[0] * indices_type->byte_width();
...
const int64_t indptr_minimum_bytes = indptr_shape[0] * indptr_byte_width;  // indptr_shape[0] = shape[axis] + 1
```

`non_zero_length` and `shape` come unchecked from the SparseTensor flatbuffer via `GetSparseTensorMetadata`. A crafted `non_zero_length` near `INT64_MAX` (or `shape[axis]` near `INT64_MAX` for the `+ 1`) overflows the signed `int64` product, wrapping it to a small value so the buffer-size guard passes. The resulting index `Tensor` is then built over a buffer far smaller than its shape, enabling an out-of-bounds read when the sparse tensor is consumed. The bare `Tensor` constructor performs no buffer-size validation, and `CheckSparseIndexMaximumValue` only bounds against the index type max, so this guard is the only check.

This was confirmed with UBSan (signed integer overflow in the multiplication).

### Component(s)

C++


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[C++][IPC] Possible int64 overflow in ReadSparseCSXIndex buffer size validation #50077

Describe the bug, including details regarding any error messages, version, and platform.

Component(s)

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[C++][IPC] Possible int64 overflow in ReadSparseCSXIndex buffer size validation #50077

Description

Describe the bug, including details regarding any error messages, version, and platform.

Component(s)

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions