Skip to content

Add NDEBUG-safe boundary checks in SnappyIOVecReader::Advance #237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SongT-50 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add NDEBUG-safe boundary checks in SnappyIOVecReader::Advance #237

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions snappy.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1935,14 +1935,45 @@ class SnappyIOVecReader : public Source {
private:
// Advances to the next nonempty `iovec` and updates related variables.
void Advance() {
// Best-effort cap on consecutive zero-length iovec walks. Without an
// explicit `iov_cnt` parameter (see API-level fix recommendation in the
// accompanying PR description), this is the safest interim guard against
// a run of zero-length trailing entries paired with a nonzero claimed
// `total_size_remaining_`.
int empty_walks = 0;
constexpr int kMaxEmptyWalks = 1024;
do {
// Defensive check 1 (NDEBUG-safe): caller passed inconsistent
// `total_size_remaining_` (greater than the sum of actual `iov_len`
// values). Saturate to a no-data state and bail out instead of
// underflowing into a large unsigned value below.
if (total_size_remaining_ < curr_size_remaining_) {
curr_pos_ = nullptr;
curr_size_remaining_ = 0;
total_size_remaining_ = 0;
return;
}
assert(total_size_remaining_ >= curr_size_remaining_);
total_size_remaining_ -= curr_size_remaining_;
if (total_size_remaining_ == 0) {
curr_pos_ = nullptr;
curr_size_remaining_ = 0;
return;
}
// Defensive check 2: zero-length entries cap. If the caller claims
// `total_size_remaining_ > 0` but only zero-length iovecs are
// available, the do-while loop would otherwise spin past the array
// end. Bail out after `kMaxEmptyWalks` consecutive zero-length steps.
if (curr_size_remaining_ == 0) {
if (++empty_walks > kMaxEmptyWalks) {
curr_pos_ = nullptr;
curr_size_remaining_ = 0;
total_size_remaining_ = 0;
return;
}
} else {
empty_walks = 0;
}
++curr_iov_;
curr_pos_ = reinterpret_cast<const char*>(curr_iov_->iov_base);
curr_size_remaining_ = curr_iov_->iov_len;
Expand Down