GH-49884: [C++] Fix integer overflow in BufferBuilder reachable from JSON parsing

[metsw24-max]

Rationale for this change

BufferBuilder and TypedBufferBuilder perform size calculations that are reachable from JSON parsing of untrusted input. These calculations previously used unchecked integer arithmetic (e.g., size_ + additional_bytes, num_elements * sizeof(T)), which can overflow.

Since the JSON parser constructs arrays, strings, and offsets based on input data, an attacker can influence these values. Overflow in these calculations can result in incorrect buffer sizing and unsafe memory operations.

What changes are included in this PR?

• Added overflow-safe arithmetic using internal::AddWithOverflow and internal::MultiplyWithOverflow for:

  • size_ + additional_bytes
  • num_elements * sizeof(T)
  • capacity growth logic

• Added validation for negative inputs across:

  • Append
  • Reserve
  • Resize
  • Advance
  • FinishWithLength

• Hardened GrowByFactor to prevent overflow when doubling capacity

• Updated TypedBufferBuilder to safely compute byte sizes from element counts

• Added regression tests covering:

  • negative values
  • addition overflow
  • multiplication overflow

Are these changes tested?

Yes.

New tests were added to:

• Validate rejection of negative inputs
• Detect overflow conditions in both BufferBuilder and TypedBufferBuilder
• Ensure proper error handling (Invalid, CapacityError) instead of undefined behavior

Are there any user-facing changes?

No functional changes for valid inputs.

Invalid inputs (e.g., negative sizes or values causing overflow) that previously resulted in undefined behavior are now explicitly rejected with clear error statuses.

This PR contains a "Critical Fix".

Unchecked integer arithmetic in buffer size calculations could overflow when processing untrusted JSON input. This may result in under-allocation of buffers followed by writes of larger logical sizes, leading to potential out-of-bounds memory writes and undefined behavior.

This patch ensures all such arithmetic is validated, preventing incorrect buffer sizing and eliminating this class of memory safety issues.

• GitHub Issue: [C++] BufferBuilder integer overflow in size calculations reachable from JSON parsing #49884

[github-actions]

Thanks for opening a pull request!

If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose

Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project.

Then could you also rename the pull request title in the following format?

GH-${GITHUB_ISSUE_ID}: [${COMPONENT}] ${SUMMARY}

or

MINOR: [${COMPONENT}] ${SUMMARY}

See also:

• Other pull requests
• Contribution Guidelines - Contributing Overview

[github-actions]

⚠️ GitHub issue #49884 has been automatically assigned in GitHub to PR creator.

[pitrou]

Why not put these checks in AllocateResizableBuffer and PoolBuffer::Resize instead? That would benefit more use cases.

[pitrou]

That's a lot of similar checks that we're adding in many methods. Can we find a way of factoring these out, and hopefully avoid forgetting any call sites where such checks must be done?