Fix BYTE_ARRAY use-after-free in page reader

Vitruves · Vitruves · commit ea88d9a3f7b9 · 2026-02-07T10:14:34.000+01:00
diff --git a/src/reader/file_reader.c b/src/reader/file_reader.c
@@ -547,6 +547,7 @@ void carquet_column_reader_free(carquet_column_reader_t* reader) {
     if (!reader) return;
 
     free(reader->page_buffer);
+    free(reader->page_data_for_values);
     free(reader->dictionary_data);
     free(reader->dictionary_offsets);
 
diff --git a/src/reader/page_reader.c b/src/reader/page_reader.c
@@ -925,7 +925,17 @@ static carquet_status_t load_next_page_mmap(
         reader->decoded_def_levels, reader->decoded_rep_levels,
         &decoded_count, error);
 
-    free(decompressed);
+    /* For BYTE_ARRAY PLAIN columns with compressed data, retain the
+     * decompressed buffer since carquet_byte_array_t.data pointers
+     * reference it. For uncompressed mmap, pointers go directly to mmap
+     * which persists for the reader's lifetime, so no retention needed. */
+    if (decompressed && reader->type == CARQUET_PHYSICAL_BYTE_ARRAY &&
+        page_header.data_page_header.encoding == CARQUET_ENCODING_PLAIN) {
+        free(reader->page_data_for_values);
+        reader->page_data_for_values = decompressed;
+    } else {
+        free(decompressed);
+    }
 
     if (status != CARQUET_OK) {
         return status;
@@ -1097,11 +1107,26 @@ static carquet_status_t load_next_page_fread(
         reader->decoded_def_levels, reader->decoded_rep_levels,
         &decoded_count, error);
 
-    if (page_data != compressed) {
-        free(page_data);
-    }
-    if (compressed) {
-        free(compressed);
+    /* For BYTE_ARRAY PLAIN columns, the decoded carquet_byte_array_t structs
+     * have .data pointers into the page data buffer. Retain the buffer so
+     * these pointers remain valid until the next page is loaded. */
+    bool retain = (reader->type == CARQUET_PHYSICAL_BYTE_ARRAY &&
+                   page_header.data_page_header.encoding == CARQUET_ENCODING_PLAIN);
+
+    if (retain) {
+        free(reader->page_data_for_values);
+        reader->page_data_for_values = page_data;
+        /* Free compressed buffer only if it's a separate allocation */
+        if (compressed && compressed != page_data) {
+            free(compressed);
+        }
+    } else {
+        if (page_data != compressed) {
+            free(page_data);
+        }
+        if (compressed) {
+            free(compressed);
+        }
     }
 
     if (status != CARQUET_OK) {
diff --git a/src/reader/reader_internal.h b/src/reader/reader_internal.h
@@ -131,6 +131,9 @@ struct carquet_column_reader {
     int32_t dictionary_count;
     uint32_t* dictionary_offsets;  /* Offset cache for O(1) BYTE_ARRAY lookup */
 
+    /* Retained page data for BYTE_ARRAY value pointers */
+    uint8_t* page_data_for_values;
+
     /* Current page state for partial reads */
     bool page_loaded;           /* Is a page currently loaded? */
     int32_t page_num_values;    /* Total values in current page */
