From c22b9e3c8e7c88c36bbd5e6f56df258f48489923 Mon Sep 17 00:00:00 2001
From: metsw24-max <metsw24@gmail.com>
Date: Wed, 27 May 2026 18:23:09 +0530
Subject: [PATCH] GH-50054: [C++][IPC] Validate indices buffer size in
 ReadSparseCOOIndex

---
 cpp/src/arrow/ipc/reader.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cpp/src/arrow/ipc/reader.cc b/cpp/src/arrow/ipc/reader.cc
index 512305d6570..cc3b550414c 100644
--- a/cpp/src/arrow/ipc/reader.cc
+++ b/cpp/src/arrow/ipc/reader.cc
@@ -2293,6 +2293,14 @@ Result<std::shared_ptr<SparseIndex>> ReadSparseCOOIndex(
                         file->ReadAt(indices_buffer->offset(), indices_buffer->length(),
                                      /*allow_short_read=*/false));
   std::vector<int64_t> indices_shape({non_zero_length, ndim});
+  int64_t indices_minimum_bytes;
+  if (arrow::internal::MultiplyWithOverflow(non_zero_length, ndim,
+                                            &indices_minimum_bytes) ||
+      arrow::internal::MultiplyWithOverflow(indices_minimum_bytes, indices_elsize,
+                                            &indices_minimum_bytes) ||
+      indices_minimum_bytes > indices_buffer->length()) {
+    return Status::Invalid("shape is inconsistent to the size of indices buffer");
+  }
   auto* indices_strides = sparse_index->indicesStrides();
   std::vector<int64_t> strides(2);
   if (indices_strides && indices_strides->size() > 0) {