fix(parquet): avoid panic on ColumnIndex length mismatch

[pchintar]

Which issue does this PR close?

• Closes ColumnIndex length mismatch can cause panic during decoding in Parquet #9832 .

Rationale for this change

In parquet/src/file/page_index/column_index.rs, ColumnIndex decoding assumes that page-aligned arrays (null_pages, min_values, max_values, and optional arrays) have matching lengths, but this is not validated.

As a result, malformed metadata can trigger an out-of-bounds panic during decoding instead of returning a ParquetError. Since parquet files are external input, this should be handled safely.

What changes are included in this PR?

• Added validation in:

  • PrimitiveColumnIndex::try_new
  • ByteArrayColumnIndex::try_new

• Ensures:

  • min_values.len() == null_pages.len()
  • max_values.len() == null_pages.len()
  • optional arrays (null_counts, histograms) are consistent with page count

• Returns ParquetError on mismatch instead of panicking

Are these changes tested?

Yes.

Added a unit test:

• test_column_index_rejects_mismatched_min_max_lengths

This constructs a ColumnIndex with mismatched lengths and verifies that decoding returns an error instead of panicking.

Are there any user-facing changes?

No.

[etseidl]

run benchmark metadata

[adriangbot]

🤖 Arrow criterion benchmark running (GKE) | trigger
Instance: c4a-highmem-16 (12 vCPU / 65 GiB) | Linux bench-c4329537350-1850-gjdwb 6.12.55+ #1 SMP Sun Feb 1 08:59:41 UTC 2026 aarch64 GNU/Linux

CPU Details (lscpu)

Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected

Comparing columnindex-length-validation (b88e803) to 4fa8d2f (merge-base) diff
BENCH_NAME=metadata
BENCH_COMMAND=cargo bench --features=arrow,async,test_common,experimental,object_store --bench metadata
BENCH_FILTER=
Results will be posted here when complete

---

File an issue against this benchmark runner

[adriangbot]

🤖 Arrow criterion benchmark completed (GKE) | trigger

Instance: c4a-highmem-16 (12 vCPU / 65 GiB)

CPU Details (lscpu)

Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected

Details

group                                            columnindex-length-validation          main
-----                                            -----------------------------          ----
decode metadata (wide) with schema               1.00     25.6±0.33ms        ? ?/sec    1.03     26.5±0.41ms        ? ?/sec
decode metadata (wide) with skip PES             1.00     24.8±0.49ms        ? ?/sec    1.04     25.8±0.43ms        ? ?/sec
decode metadata (wide) with skip all stats       1.00     28.0±2.01ms        ? ?/sec    1.02     28.5±0.33ms        ? ?/sec
decode metadata (wide) with skip column stats    1.00     26.6±0.39ms        ? ?/sec    1.04     27.6±0.43ms        ? ?/sec
decode metadata (wide) with skip size stats      1.00     28.9±0.63ms        ? ?/sec    1.04     30.0±0.49ms        ? ?/sec
decode metadata (wide) with stats mask           1.00     24.7±0.52ms        ? ?/sec    1.05     26.0±0.60ms        ? ?/sec
decode metadata with schema                      1.00      4.0±0.03µs        ? ?/sec    1.01      4.0±0.07µs        ? ?/sec
decode metadata with skip PES                    1.00      6.7±0.02µs        ? ?/sec    1.03      6.9±0.04µs        ? ?/sec
decode metadata with skip column stats           1.00      6.6±0.01µs        ? ?/sec    1.03      6.8±0.08µs        ? ?/sec
decode metadata with stats mask                  1.00      6.7±0.04µs        ? ?/sec    1.02      6.9±0.10µs        ? ?/sec
decode parquet metadata                          1.00      7.0±0.01µs        ? ?/sec    1.02      7.1±0.11µs        ? ?/sec
decode parquet metadata (wide)                   1.00     27.7±0.32ms        ? ?/sec    1.04     28.8±0.37ms        ? ?/sec
decode parquet metadata w/ size stats (wide)     1.00     33.8±0.57ms        ? ?/sec    1.04     35.0±0.36ms        ? ?/sec
open(default)                                    1.00      7.6±0.13µs        ? ?/sec    1.03      7.8±0.28µs        ? ?/sec
open(page index)                                 1.01     87.1±0.05µs        ? ?/sec    1.00     86.2±0.10µs        ? ?/sec

Resource Usage

base (merge-base)

Metric	Value
Wall time	145.0s
Peak memory	4.3 GiB
Avg memory	4.2 GiB
CPU user	141.8s
CPU sys	0.8s
Peak spill	0 B

branch

Metric	Value
Wall time	145.0s
Peak memory	4.3 GiB
Avg memory	4.2 GiB
CPU user	143.9s
CPU sys	0.2s
Peak spill	0 B

---

File an issue against this benchmark runner

[etseidl]

Looks good to me. Thanks @pchintar