GH-50184: [C++][Parquet] Avoid reading past truncated statistics values in FormatStatValue

[jmestwa-coder]

Rationale for this change

FormatStatValue in cpp/src/parquet/types.cc does fixed-width memcpy/byte loads on a statistics value that comes straight out of the file's Thrift-encoded metadata, so its length is attacker controlled. The Parquet spec allows truncated statistics, so a min_value/max_value shorter than the column's physical type (for example a zero-byte stat on an INT96 column) is valid input, but the fixed-width loads still read past the end of the source buffer. It is reachable from the printer/debug path that formats a file's column statistics.

What changes are included in this PR?

Each fixed-width read in FormatStatValue and the helpers it delegates to now clamps its copy to val.size() instead of assuming the full type width is present: the BOOLEAN/INT32/INT64/INT96/FLOAT/DOUBLE numeric loads, the int32/int64-backed decimal loads, and the float16 FIXED_LEN_BYTE_ARRAY load. A truncated value is zero-padded rather than over-read, and no exception is raised since truncated statistics are spec-legal. The variable-length FIXED_LEN_BYTE_ARRAY (decimal/string) and BYTE_ARRAY paths were already keyed off val.size() and are unchanged.

Are these changes tested?

Yes. TypePrinter.StatisticsTypesShortValue in types_test.cc formats a too-short value for each path and checks it returns without reading past the buffer (caught under ASan).

Are there any user-facing changes?

No API change. A truncated statistics value is formatted from the bytes that are present instead of reading out of bounds.

This PR contains a "Critical Fix". It stops an out-of-bounds read on a buffer whose length is controlled by the input Parquet file.

• GitHub Issue: [C++][Parquet] FormatStatValue reads past the buffer for too-short statistics values #50184

[wgtmac]

Why not dealing with the length of FIXED_LEN_BYTE_ARRAY?

[jmestwa-coder]

FormatStatValue doesn't receive the column's type_length, so it can't validate the full FLBA width here. The only fixed-size read for FLBA is the 2-byte float16 load, which is what this case guards. The decimal, string and hex paths all key off val.size() and stay in bounds.

[wgtmac]

I admit that it is better than nothing to check types with known sizes. It still looks confusing with this partial support. If we do want to add the check, I think we need to support all types. We can either pass the type instance instead of only the enum or pass the type length to FormatStatValue. The challenge is that FormatStatValue is a public API so we cannot changing its signature without breaking backward compatibility.

[wgtmac]

BTW, we need to create an issue for changes like this.

[jmestwa-coder]

Fair. Full per-length validation needs the column type_length, and since FormatStatValue is public I left the signature alone, so the guard only covers the types that do an unconditional fixed-width load (BOOLEAN/INT32/INT64/INT96/FLOAT/DOUBLE and the float16 FLBA), which are the ones that actually over-read. The variable-length FLBA (decimal/string) and BYTE_ARRAY paths are already size-driven and stay in bounds. If you'd rather thread the type_length through a new overload to cover everything, I'm happy to go that way.

[wgtmac]

It is better to put BYTE_ARRAY and UNDEFINED together since they are skipped. In case you don't know, BYTE_ARRAY cannot have float16 logical type.

[jmestwa-coder]

Good point. Moved BYTE_ARRAY down with UNDEFINED since it can't carry a float16 logical type and has no fixed-width load here anyway.

[wgtmac]

I'm a little hesitant to complicate FormatStatValue by introducing this check. FormatStatValue is usually called in the printer when we want to print some information of a parquet file for debugging purpuse.

[jmestwa-coder]

Fair, it's mostly the debug/printer path. The thing is val is taken verbatim from the file's Thrift stats, so a truncated min/max makes the BOOLEAN/INT96/numeric memcpys read past the end of the buffer even there. The guard is just a size check in front of the existing loads, so I tried to keep it minimal. Happy to trim it further if it still feels too heavy.

[wgtmac]

I admit that it is better than nothing to check types with known sizes. It still looks confusing with this partial support. If we do want to add the check, I think we need to support all types. We can either pass the type instance instead of only the enum or pass the type length to FormatStatValue. The challenge is that FormatStatValue is a public API so we cannot changing its signature without breaking backward compatibility.

[wgtmac]

(I thought I have posted the above comment but it was a draft before I posted it just now)

[wgtmac]

@pitrou Do you have any suggestion?

[jmestwa-coder]

switched to clamping each fixed-width read to val.size() rather than the required-length table, so every over-reading path is covered without touching the public signature, and there's no throw since truncated stats are valid.

[github-actions]

⚠️ GitHub issue #50184 has been automatically assigned in GitHub to PR creator.

[jmestwa-coder]

Filed #50184 for this and retitled the PR to reference it. Also reworked the description into the template sections.

[pitrou]

The Parquet spec allows for truncated statistics, so raising an exception sounds wrong here. Just make sure that we're not copying too many bytes from the std::string_view .

[jmestwa-coder]

@pitrou makes sense, truncated stats are spec-legal so throwing was wrong. reworked it to clamp every fixed-width memcpy/Float16 load in FormatStatValue to val.size(), so a short min/max is zero-padded instead of read past the buffer and nothing throws. the variable-length FLBA (decimal/string) and BYTE_ARRAY paths were already size-driven, so they're untouched.

@wgtmac this also drops the partial required-length table you flagged. every read now bounds itself, so there's no half-covered enum check and the public signature stays the same. updated the test and the title/description to match.

[pitrou]

+1, thank you @jmestwa-coder