GH-48308: [C++][Parquet] Fix potential crash when reading invalid Parquet data

pitrou · pitrou · commit 2c5dda8df9a3 · 2025-12-02T18:00:54.000+01:00
diff --git a/cpp/src/parquet/decoder.cc b/cpp/src/parquet/decoder.cc
@@ -92,11 +92,7 @@ struct ArrowBinaryHelper<ByteArrayType, ::arrow::BinaryType> {
   // If estimated_data_length is provided, it will also reserve the estimated data length.
   Status Prepare(int64_t length, std::optional<int64_t> estimated_data_length = {}) {
     entries_remaining_ = length;
-    RETURN_NOT_OK(builder_->Reserve(entries_remaining_));
-    if (estimated_data_length.has_value()) {
-      RETURN_NOT_OK(builder_->ReserveData(
-          std::min<int64_t>(*estimated_data_length, this->chunk_space_remaining_)));
-    }
+    RETURN_NOT_OK(ReserveInitialChunkData(estimated_data_length));
     return Status::OK();
   }
 
@@ -110,11 +106,7 @@ struct ArrowBinaryHelper<ByteArrayType, ::arrow::BinaryType> {
       // This element would exceed the capacity of a chunk
       RETURN_NOT_OK(PushChunk());
       // Reserve entries and data in new chunk
-      RETURN_NOT_OK(builder_->Reserve(entries_remaining_));
-      if (estimated_remaining_data_length.has_value()) {
-        RETURN_NOT_OK(builder_->ReserveData(
-            std::min<int64_t>(*estimated_remaining_data_length, chunk_space_remaining_)));
-      }
+      RETURN_NOT_OK(ReserveInitialChunkData(estimated_remaining_data_length));
     }
     chunk_space_remaining_ -= length;
     --entries_remaining_;
@@ -147,6 +139,20 @@ struct ArrowBinaryHelper<ByteArrayType, ::arrow::BinaryType> {
     return Status::OK();
   }
 
+  Status ReserveInitialChunkData(std::optional<int64_t> estimated_remaining_data_length) {
+    RETURN_NOT_OK(builder_->Reserve(entries_remaining_));
+    if (estimated_remaining_data_length.has_value()) {
+      int64_t required_capacity =
+          std::min(*estimated_remaining_data_length, chunk_space_remaining_);
+      // Ensure we'll be allocating a non-zero-sized data buffer, to avoid encountering
+      // a null pointer
+      constexpr int64_t kMinReserveCapacity = 64;
+      RETURN_NOT_OK(
+          builder_->ReserveData(std::max(required_capacity, kMinReserveCapacity)));
+    }
+    return Status::OK();
+  }
+
   bool CanFit(int64_t length) const { return length <= chunk_space_remaining_; }
 
   Accumulator* acc_;
@@ -763,34 +769,35 @@ class PlainByteArrayDecoder : public PlainDecoder<ByteArrayType> {
     auto visit_binary_helper = [&](auto* helper) {
       int values_decoded = 0;
 
-      RETURN_NOT_OK(VisitBitRuns(
-          valid_bits, valid_bits_offset, num_values,
-          [&](int64_t position, int64_t run_length, bool is_valid) {
-            if (is_valid) {
-              for (int64_t i = 0; i < run_length; ++i) {
-                if (ARROW_PREDICT_FALSE(len_ < 4)) {
-                  return Status::Invalid(
-                      "Invalid or truncated PLAIN-encoded BYTE_ARRAY data");
-                }
-                auto value_len = SafeLoadAs<int32_t>(data_);
-                if (ARROW_PREDICT_FALSE(value_len < 0 || value_len > len_ - 4)) {
-                  return Status::Invalid(
-                      "Invalid or truncated PLAIN-encoded BYTE_ARRAY data");
-                }
-                RETURN_NOT_OK(
-                    helper->AppendValue(data_ + 4, value_len, estimated_data_length));
-                auto increment = value_len + 4;
-                data_ += increment;
-                len_ -= increment;
-                estimated_data_length -= value_len;
-                DCHECK_GE(estimated_data_length, 0);
-              }
-              values_decoded += static_cast<int>(run_length);
-              return Status::OK();
-            } else {
-              return helper->AppendNulls(run_length);
-            }
-          }));
+      RETURN_NOT_OK(
+          VisitBitRuns(valid_bits, valid_bits_offset, num_values,
+                       [&](int64_t position, int64_t run_length, bool is_valid) {
+                         if (is_valid) {
+                           for (int64_t i = 0; i < run_length; ++i) {
+                             if (ARROW_PREDICT_FALSE(len_ < 4)) {
+                               return Status::Invalid(
+                                   "Invalid or truncated PLAIN-encoded BYTE_ARRAY data");
+                             }
+                             auto value_len = SafeLoadAs<int32_t>(data_);
+                             if (ARROW_PREDICT_FALSE(value_len < 0 ||
+                                                     value_len > estimated_data_length)) {
+                               return Status::Invalid(
+                                   "Invalid or truncated PLAIN-encoded BYTE_ARRAY data");
+                             }
+                             RETURN_NOT_OK(helper->AppendValue(data_ + 4, value_len,
+                                                               estimated_data_length));
+                             auto increment = value_len + 4;
+                             data_ += increment;
+                             len_ -= increment;
+                             estimated_data_length -= value_len;
+                             DCHECK_GE(estimated_data_length, 0);
+                           }
+                           values_decoded += static_cast<int>(run_length);
+                           return Status::OK();
+                         } else {
+                           return helper->AppendNulls(run_length);
+                         }
+                       }));
 
       num_values_ -= values_decoded;
       *out_values_decoded = values_decoded;
diff --git a/testing b/testing
@@ -1 +1 @@
-Subproject commit 047d3914590d8379b5da19c4f5b0d1869a8ecdb3
+Subproject commit da559b5412551c490a97c67f6779fcefd4352aff
