From a4bbb84d43b564508997d6207f7ec183349b8e9e Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Mon, 25 May 2026 21:22:47 +0530
Subject: [PATCH 1/2] avoid 32-bit size overflow in WKBBuffer::ReadCoords
 bounds check

---
 cpp/src/parquet/geospatial/util_internal.cc     |  2 +-
 .../parquet/geospatial/util_internal_test.cc    | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/cpp/src/parquet/geospatial/util_internal.cc b/cpp/src/parquet/geospatial/util_internal.cc
index 59551ae87035..25a709306af5 100644
--- a/cpp/src/parquet/geospatial/util_internal.cc
+++ b/cpp/src/parquet/geospatial/util_internal.cc
@@ -64,7 +64,7 @@ class WKBBuffer {
 
   template <typename Coord, typename Visit>
   void ReadCoords(uint32_t n_coords, bool swap, Visit&& visit) {
-    size_t total_bytes = n_coords * sizeof(Coord);
+    uint64_t total_bytes = static_cast<uint64_t>(n_coords) * sizeof(Coord);
     if (size_ < total_bytes) {
       throw ParquetException("Can't read coordinate sequence of ", total_bytes,
                              " bytes from WKBBuffer with ", size_, " remaining");
diff --git a/cpp/src/parquet/geospatial/util_internal_test.cc b/cpp/src/parquet/geospatial/util_internal_test.cc
index 527bcc505051..c12d9d53c237 100644
--- a/cpp/src/parquet/geospatial/util_internal_test.cc
+++ b/cpp/src/parquet/geospatial/util_internal_test.cc
@@ -166,6 +166,23 @@ TEST_P(WKBTestFixture, TestWKBBounderErrorForInputWithTooManyBytes) {
   ASSERT_THROW(bounder.MergeGeometry(wkb_with_extra_byte), ParquetException);
 }
 
+TEST(TestGeometryUtil, TestWKBBounderErrorForCoordinateSequenceSizeOverflow) {
+  WKBGeometryBounder bounder;
+
+  // LINESTRING with 0x10000001 XY coordinates but only one coordinate in the buffer.
+  // On 32-bit targets, 0x10000001 * sizeof(XY) would overflow to 16 bytes.
+  std::vector<uint8_t> wkb = {
+      0x01,                                      // little endian
+      0x02, 0x00, 0x00, 0x00,                    // LINESTRING
+      0x01, 0x00, 0x00, 0x10,                    // 0x10000001 coordinates
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // x = 0
+      0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // y = 0
+      0x00};
+
+  ASSERT_THROW(bounder.MergeGeometry(wkb), ParquetException);
+}
+
 INSTANTIATE_TEST_SUITE_P(
     TestGeometryUtil, WKBTestFixture,
     ::testing::Values(

From 5459ce961e49e4dcbe432530018024bdf28ee073 Mon Sep 17 00:00:00 2001
From: jmestwa-coder <jmestwa@gmail.com>
Date: Thu, 28 May 2026 12:40:43 +0530
Subject: [PATCH 2/2] use MultiplyWithOverflow for coordinate sequence size

---
 cpp/src/parquet/geospatial/util_internal.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/cpp/src/parquet/geospatial/util_internal.cc b/cpp/src/parquet/geospatial/util_internal.cc
index 25a709306af5..54e82f6c0458 100644
--- a/cpp/src/parquet/geospatial/util_internal.cc
+++ b/cpp/src/parquet/geospatial/util_internal.cc
@@ -21,6 +21,7 @@
 #include <sstream>
 
 #include "arrow/util/endian.h"
+#include "arrow/util/int_util_overflow.h"
 #include "arrow/util/macros.h"
 #include "arrow/util/ubsan.h"
 #include "parquet/exception.h"
@@ -64,8 +65,11 @@ class WKBBuffer {
 
   template <typename Coord, typename Visit>
   void ReadCoords(uint32_t n_coords, bool swap, Visit&& visit) {
-    uint64_t total_bytes = static_cast<uint64_t>(n_coords) * sizeof(Coord);
-    if (size_ < total_bytes) {
+    uint64_t total_bytes = 0;
+    if (::arrow::internal::MultiplyWithOverflow(static_cast<uint64_t>(n_coords),
+                                                static_cast<uint64_t>(sizeof(Coord)),
+                                                &total_bytes) ||
+        size_ < total_bytes) {
       throw ParquetException("Can't read coordinate sequence of ", total_bytes,
                              " bytes from WKBBuffer with ", size_, " remaining");
     }