Describe the bug, including details regarding any error messages, version, and platform.
WKB parsing code in cpp/src/parquet/geospatial performs size computations using geometry counts read directly from externally supplied WKB input.
On 32-bit targets such as wasm32, calculations of the form:
count * sizeof(T)
can overflow before remaining-buffer validation occurs. This may allow truncated bounds checks to succeed while subsequent parsing logic still attempts to process larger coordinate sequences.
One identified instance is WKBBuffer::ReadCoords() in util_internal.cc, where the coordinate sequence byte size is derived from a WKB-provided coordinate count prior to validating the remaining buffer size.
This issue tracks auditing and hardening similar overflow-before-bounds-check patterns in WKB parsing paths to ensure bounds validation remains correct across supported architectures.
Component(s)
Parquet, C++
Describe the bug, including details regarding any error messages, version, and platform.
WKB parsing code in cpp/src/parquet/geospatial performs size computations using geometry counts read directly from externally supplied WKB input.
On 32-bit targets such as wasm32, calculations of the form:
count * sizeof(T)
can overflow before remaining-buffer validation occurs. This may allow truncated bounds checks to succeed while subsequent parsing logic still attempts to process larger coordinate sequences.
One identified instance is WKBBuffer::ReadCoords() in util_internal.cc, where the coordinate sequence byte size is derived from a WKB-provided coordinate count prior to validating the remaining buffer size.
This issue tracks auditing and hardening similar overflow-before-bounds-check patterns in WKB parsing paths to ensure bounds validation remains correct across supported architectures.
Component(s)
Parquet, C++