Describe the bug
array_resize panics with capacity overflow when given a very large positive target size. The panic comes from Vec::reserve in raw_vec because the requested size in elements times the element layout exceeds isize::MAX.
Related-but-distinct from the other large-allocation panics filed via the recent fuzz pass (#22188 range/generate_series, #22217 repeat, #22218/#22219 array_repeat). array_resize has its own scalar count argument with the same missing validation.
To Reproduce
cargo run -p datafusion-cli -- -c "SELECT array_resize(make_array(1), 9223372036854775807, 0)"
Actual behavior
DataFusion CLI v53.1.0
thread 'main' panicked at .../library/alloc/src/raw_vec/mod.rs:28:5:
capacity overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Expected behavior
Return an execution error (e.g. "array_resize: target size too large") rather than panicking, mirroring the bounds-check fix suggested for #22188.
Environment
- DataFusion CLI v53.1.0 (from
main at commit 8741a77)
Additional context
Found by running hand-crafted SQL through cargo run -p datafusion-cli -- -c .... Same root-cause shape as the other array-builder overflow panics: a user-supplied count is fed straight into Vec::reserve/with_capacity without bounding against isize::MAX / size_of::<T>().
Describe the bug
array_resizepanics withcapacity overflowwhen given a very large positive target size. The panic comes fromVec::reserveinraw_vecbecause the requested size in elements times the element layout exceedsisize::MAX.Related-but-distinct from the other large-allocation panics filed via the recent fuzz pass (#22188
range/generate_series, #22217repeat, #22218/#22219array_repeat).array_resizehas its own scalar count argument with the same missing validation.To Reproduce
cargo run -p datafusion-cli -- -c "SELECT array_resize(make_array(1), 9223372036854775807, 0)"Actual behavior
Expected behavior
Return an execution error (e.g.
"array_resize: target size too large") rather than panicking, mirroring the bounds-check fix suggested for #22188.Environment
mainat commit 8741a77)Additional context
Found by running hand-crafted SQL through
cargo run -p datafusion-cli -- -c .... Same root-cause shape as the other array-builder overflow panics: a user-supplied count is fed straight intoVec::reserve/with_capacitywithout bounding againstisize::MAX / size_of::<T>().