When reading a Feather V1 file, ReaderV1::LoadValues in cpp/src/arrow/ipc/feather.cc reads total_bytes of data for a column, then carves null-bitmap, offsets, and values sub-buffers using sizes derived from meta->length(). That length comes from the footer flatbuffer (parsed with GetCTable and never verified) and is independent of the data buffer, so a file declaring a large length but a small total_bytes produces SliceBuffer calls that fall outside the backing buffer, and the trailing buffer->size() - offset underflows. The resulting oversized buffer views lead to an out-of-bounds read when the array is consumed.
SliceBuffer only validates in debug builds, so the slices should use SliceBufferSafe and reject negative length/null_count.
When reading a Feather V1 file,
ReaderV1::LoadValuesincpp/src/arrow/ipc/feather.ccreadstotal_bytesof data for a column, then carves null-bitmap, offsets, and values sub-buffers using sizes derived frommeta->length(). That length comes from the footer flatbuffer (parsed withGetCTableand never verified) and is independent of the data buffer, so a file declaring a largelengthbut a smalltotal_bytesproducesSliceBuffercalls that fall outside the backing buffer, and the trailingbuffer->size() - offsetunderflows. The resulting oversized buffer views lead to an out-of-bounds read when the array is consumed.SliceBufferonly validates in debug builds, so the slices should useSliceBufferSafeand reject negativelength/null_count.