fix(parquet): validate INT96 column metadata statistics

[fallintoplace]

Which issue does this PR close?

Closes #10002.

Rationale for this change

Malformed Parquet footer metadata can contain INT96 statistics whose encoded min or max value is longer than 12 bytes. The footer metadata conversion path checked that INT96 statistics were at least 12 bytes, but then asserted they were exactly 12 bytes. That allowed malformed input to panic instead of returning an error.

The page-statistics path already returns an error for non-12-byte INT96 statistics, so this change makes the footer metadata path behave consistently.

What changes are included in this PR?

This PR replaces the INT96 min/max length assertions in footer metadata statistics conversion with explicit ParquetError returns.

It also adds a regression test covering overlong INT96 min and max values in column metadata statistics.

Are these changes tested?

Yes. I ran:

• cargo fmt --all
• cargo +stable fmt --all -- --check
• cargo fmt -p parquet -- --check --config skip_children=true $(find ./parquet -name "*.rs" ! -name format.rs)
• cargo test -p parquet --lib file::metadata::thrift::tests::test_convert_stats_returns_error_for_overlong_int96_statistics
• cargo test -p parquet --lib file::metadata::thrift::tests
• cargo test -p parquet
• cargo check -p parquet --all-targets
• cargo clippy -p parquet --all-targets --all-features -- -D warnings

Are there any user-facing changes?

Malformed INT96 column metadata statistics now return an error instead of panicking.

[etseidl]

looks good, thanks @fallintoplace

[etseidl]

Verified this panics without the fix.

[etseidl]

run benchmark metadata

[adriangbot]

🤖 Arrow criterion benchmark running (GKE) | trigger
Instance: c4a-highmem-16 (12 vCPU / 65 GiB) | Linux bench-c4503375026-246-pqrfl 6.12.68+ #1 SMP Wed Apr 1 02:23:28 UTC 2026 aarch64 GNU/Linux

CPU Details (lscpu)

Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected

Comparing parquet-int96-stats-error (a10a041) to d48c305 (merge-base) diff
BENCH_NAME=metadata
BENCH_COMMAND=cargo bench --features=arrow,async,test_common,experimental,object_store --bench metadata
BENCH_FILTER=
Results will be posted here when complete

---

File an issue against this benchmark runner

[adriangbot]

🤖 Arrow criterion benchmark completed (GKE) | trigger

Instance: c4a-highmem-16 (12 vCPU / 65 GiB)

CPU Details (lscpu)

Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected

Details

group                                               main                                   parquet-int96-stats-error
-----                                               ----                                   -------------------------
decode metadata (wide) with schema                  1.00     26.2±0.35ms        ? ?/sec    1.02     26.8±0.43ms        ? ?/sec
decode metadata (wide) with skip PES                1.00     26.9±0.32ms        ? ?/sec    1.05     28.2±1.05ms        ? ?/sec
decode metadata (wide) with skip all stats          1.00     31.2±0.41ms        ? ?/sec    1.02     31.7±0.50ms        ? ?/sec
decode metadata (wide) with skip column stats       1.00     27.9±0.23ms        ? ?/sec    1.05     29.2±0.25ms        ? ?/sec
decode metadata (wide) with skip size stats         1.00     31.7±0.47ms        ? ?/sec    1.02     32.3±0.42ms        ? ?/sec
decode metadata (wide) with stats mask              1.00     25.9±0.34ms        ? ?/sec    1.02     26.4±0.86ms        ? ?/sec
decode metadata with schema                         1.00      4.2±0.01µs        ? ?/sec    1.00      4.2±0.03µs        ? ?/sec
decode metadata with skip PES                       1.00      7.1±0.05µs        ? ?/sec    1.00      7.1±0.02µs        ? ?/sec
decode metadata with skip column stats              1.01      6.9±0.05µs        ? ?/sec    1.00      6.8±0.01µs        ? ?/sec
decode metadata with stats mask                     1.00      6.9±0.03µs        ? ?/sec    1.01      6.9±0.03µs        ? ?/sec
decode parquet metadata                             1.00      7.2±0.03µs        ? ?/sec    1.00      7.3±0.02µs        ? ?/sec
decode parquet metadata (wide)                      1.00     28.4±0.30ms        ? ?/sec    1.00     28.3±0.20ms        ? ?/sec
decode parquet metadata no path_in_schema (wide)    1.00     28.2±0.74ms        ? ?/sec    1.02     28.9±0.32ms        ? ?/sec
decode parquet metadata w/ size stats (wide)        1.00     35.0±0.38ms        ? ?/sec    1.03     36.0±0.23ms        ? ?/sec
open(default)                                       1.01      7.9±0.11µs        ? ?/sec    1.00      7.8±0.10µs        ? ?/sec
open(page index)                                    1.00    133.0±0.22µs        ? ?/sec    1.00    132.6±0.22µs        ? ?/sec

Resource Usage

base (merge-base)

Metric	Value
Wall time	155.0s
Peak memory	4.3 GiB
Avg memory	4.2 GiB
CPU user	153.0s
CPU sys	0.8s
Peak spill	0 B

branch

Metric	Value
Wall time	155.0s
Peak memory	4.2 GiB
Avg memory	4.2 GiB
CPU user	154.0s
CPU sys	0.2s
Peak spill	0 B

---

File an issue against this benchmark runner

[etseidl]

run benchmark metadata

[adriangbot]

🤖 Arrow criterion benchmark running (GKE) | trigger
Instance: c4a-highmem-16 (12 vCPU / 65 GiB) | Linux bench-c4503611481-247-bxprx 6.12.68+ #1 SMP Wed Apr 1 02:23:28 UTC 2026 aarch64 GNU/Linux

CPU Details (lscpu)

Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected

Comparing parquet-int96-stats-error (a10a041) to d48c305 (merge-base) diff
BENCH_NAME=metadata
BENCH_COMMAND=cargo bench --features=arrow,async,test_common,experimental,object_store --bench metadata
BENCH_FILTER=
Results will be posted here when complete

---

File an issue against this benchmark runner

[adriangbot]

🤖 Arrow criterion benchmark completed (GKE) | trigger

Instance: c4a-highmem-16 (12 vCPU / 65 GiB)

CPU Details (lscpu)

Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected

Details

group                                               main                                   parquet-int96-stats-error
-----                                               ----                                   -------------------------
decode metadata (wide) with schema                  1.00     27.9±0.37ms        ? ?/sec    1.00     28.0±0.13ms        ? ?/sec
decode metadata (wide) with skip PES                1.00     28.4±0.36ms        ? ?/sec    1.01     28.6±0.12ms        ? ?/sec
decode metadata (wide) with skip all stats          1.00     32.0±0.19ms        ? ?/sec    1.02     32.6±0.25ms        ? ?/sec
decode metadata (wide) with skip column stats       1.00     29.2±0.34ms        ? ?/sec    1.02     29.6±0.19ms        ? ?/sec
decode metadata (wide) with skip size stats         1.00     32.7±0.32ms        ? ?/sec    1.00     32.8±0.20ms        ? ?/sec
decode metadata (wide) with stats mask              1.00     27.3±0.39ms        ? ?/sec    1.00     27.3±0.20ms        ? ?/sec
decode metadata with schema                         1.00      4.1±0.01µs        ? ?/sec    1.01      4.2±0.02µs        ? ?/sec
decode metadata with skip PES                       1.00      7.0±0.02µs        ? ?/sec    1.01      7.1±0.02µs        ? ?/sec
decode metadata with skip column stats              1.00      6.8±0.02µs        ? ?/sec    1.00      6.9±0.01µs        ? ?/sec
decode metadata with stats mask                     1.00      6.9±0.01µs        ? ?/sec    1.00      6.9±0.02µs        ? ?/sec
decode parquet metadata                             1.01      7.2±0.02µs        ? ?/sec    1.00      7.2±0.01µs        ? ?/sec
decode parquet metadata (wide)                      1.00     29.9±0.38ms        ? ?/sec    1.00     30.0±0.13ms        ? ?/sec
decode parquet metadata no path_in_schema (wide)    1.00     29.2±0.41ms        ? ?/sec    1.00     29.3±0.14ms        ? ?/sec
decode parquet metadata w/ size stats (wide)        1.00     36.1±0.44ms        ? ?/sec    1.00     36.3±0.15ms        ? ?/sec
open(default)                                       1.01      7.8±0.01µs        ? ?/sec    1.00      7.8±0.11µs        ? ?/sec
open(page index)                                    1.00    132.9±0.08µs        ? ?/sec    1.00    132.6±0.12µs        ? ?/sec

Resource Usage

base (merge-base)

Metric	Value
Wall time	160.0s
Peak memory	4.2 GiB
Avg memory	4.2 GiB
CPU user	156.8s
CPU sys	0.8s
Peak spill	0 B

branch

Metric	Value
Wall time	160.0s
Peak memory	4.2 GiB
Avg memory	4.2 GiB
CPU user	156.5s
CPU sys	0.2s
Peak spill	0 B

---

File an issue against this benchmark runner