alamb opened a new issue, #13759: URL: https://github.com/apache/datafusion/issues/13759
### Describe the bug (This was found by a security audit performed by InfluxData) > The public method finish in datafusion_functions::strings::StringArrayBuilder takes an argument, null_buffer, which is unconditionally assigned to an internal member; however, the contract for this data type requires that the three buffers (value_buffer, offsets_buffer, and nulls) are of the same length. > > The argument to finish can be Option<NullBuffer> with a buffer of arbitrary length, but the length of it is not checked; therefore, the contract might be violated and subsequent usage of the resulting StringArray might lead to out-of-bounds reads or writes. https://github.com/apache/datafusion/blob/e8314aba0bd2af4106a5dff49428bfb8fb003d57/datafusion/functions/src/strings.rs#L338-L348 I (@alamb ) analyzed the code and I do think there is a problem, but I do not think it is exploitable from SQL or other downstream applications. It would only affect someone using the `StringArrayBuilder` or `LargeStringArrayBuilder` APIs directly (though they are `pub`, [see doc links](https://docs.rs/datafusion/latest/datafusion/functions/strings/struct.StringArrayBuilder.html)) The reason I don't think it is exploitable is that it is only called in in two locations: * https://github.com/apache/datafusion/blob/3ee9b3dfb6d9c4e95a93d694b6aaf5c21ab61354/datafusion/functions/src/string/concat.rs#L217-L218 (called with `None` aka no buffer) * https://github.com/apache/datafusion/blob/3ee9b3dfb6d9c4e95a93d694b6aaf5c21ab61354/datafusion/functions/src/string/concat_ws.rs#L254 called with `Some(..)` buffer from the input array (that is the same size as the output array) And the size of the null buffer is correct in both cases ### To Reproduce _No response_ ### Expected behavior _No response_ ### Additional context _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
