GH-50063: [C++] Validate buffer size for row-major tensors (#50064)

metsw24-max · web-flow · commit ca8a194bd15d · 2026-05-29T13:24:58.000+02:00
### Rationale for this change `ValidateTensorParameters` in cpp/src/arrow/tensor.cc only runs the `CheckTensorStridesValidity` buffer-overrun guard when strides are passed explicitly. With implicit (row-major) strides it computes strides for overflow but never checks the data buffer is large enough for the shape, so a tensor whose shape exceeds its buffer is accepted and later read out of bounds. This is reachable from IPC `ReadTensor`, where the shape comes from the flatbuffer and the body size is independent of it. ### What changes are included in this PR? Run `CheckTensorStridesValidity` on the computed row-major strides too. ### Are these changes tested? Added a case to `TestTensor.MakeFailureCases`. ### Are there any user-facing changes? No. **This PR contains a "Critical Fix".** Crafted IPC tensor metadata (or any caller building a row-major tensor over an undersized buffer) bypassed the bounds check, enabling an out-of-bounds read. * GitHub Issue: #50063 Authored-by: metsw24-max <metsw24@gmail.com> Signed-off-by: Rok Mihevc <rok@mihevc.org>
diff --git a/cpp/src/arrow/tensor.cc b/cpp/src/arrow/tensor.cc
@@ -216,6 +216,7 @@ Status ValidateTensorParameters(const std::shared_ptr<DataType>& type,
     std::vector<int64_t> tmp_strides;
     RETURN_NOT_OK(ComputeRowMajorStrides(checked_cast<const FixedWidthType&>(*type),
                                          shape, &tmp_strides));
+    RETURN_NOT_OK(CheckTensorStridesValidity(data, shape, tmp_strides, type));
   }
   if (dim_names.size() > shape.size()) {
     return Status::Invalid("too many dim_names are supplied");
diff --git a/cpp/src/arrow/tensor_test.cc b/cpp/src/arrow/tensor_test.cc
@@ -268,6 +268,9 @@ TEST(TestTensor, MakeFailureCases) {
   ASSERT_RAISES(Invalid, Tensor::Make(float64(), data, shape,
                                       {sizeof(double) * 12, sizeof(double)}));
 
+  // row-major (implicit strides) shape larger than the backing buffer
+  ASSERT_RAISES(Invalid, Tensor::Make(float64(), data, {3, 100}));
+
   // too many dim_names are supplied
   ASSERT_RAISES(Invalid, Tensor::Make(float64(), data, shape, {}, {"foo", "bar", "baz"}));
 }

Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,7 @@ Status ValidateTensorParameters(const std::shared_ptr<DataType>& type,`
`216`	`216`	`std::vector<int64_t> tmp_strides;`
`217`	`217`	`RETURN_NOT_OK(ComputeRowMajorStrides(checked_cast<const FixedWidthType&>(*type),`
`218`	`218`	`shape, &tmp_strides));`
	`219`	`+ RETURN_NOT_OK(CheckTensorStridesValidity(data, shape, tmp_strides, type));`
`219`	`220`	`}`
`220`	`221`	`if (dim_names.size() > shape.size()) {`
`221`	`222`	`return Status::Invalid("too many dim_names are supplied");`
Original file line number	Diff line number	Diff line change
`@@ -268,6 +268,9 @@ TEST(TestTensor, MakeFailureCases) {`
`268`	`268`	`ASSERT_RAISES(Invalid, Tensor::Make(float64(), data, shape,`
`269`	`269`	`{sizeof(double) * 12, sizeof(double)}));`
`270`	`270`
	`271`	`+ // row-major (implicit strides) shape larger than the backing buffer`
	`272`	`+ ASSERT_RAISES(Invalid, Tensor::Make(float64(), data, {3, 100}));`
	`273`	`+`
`271`	`274`	`// too many dim_names are supplied`
`272`	`275`	`ASSERT_RAISES(Invalid, Tensor::Make(float64(), data, shape, {}, {"foo", "bar", "baz"}));`
`273`	`276`	`}`