[arrow-data] Integer overflow in ArrayData::slice leads to undefined behavior

[ksj1230]

Description

This issue was previously reported privately and is now being disclosed following coordination with maintainers.

ArrayData::slice() computes offset + length without overflow checking.
When the sum wraps, the bounds check may pass, leading to an inconsistent internal state.

This can result in a potential out-of-bounds read via safe Rust APIs.

Fix

See PR #9813

Reported by Sungjin Kim (@ksj1230)

[alamb]

Thank you @ksj1230 -- this was fixed in

• Prevent ArrayData::slice length overflow #9813

To cause an issue, an adversary would need control over the arguments passed to ArrayData::slice(offset, length). Since the ArrayData[2] API is low level and not widely used outside the Arrow crate, and I would not expect it to receive direct unvalidated user inputs.

I expect the fix for this issue in 58.3.0 (later this week)

[alamb]

label_issue.py automatically added labels {'arrow'} from #9927