Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integer overflow in ZlibOutputBuffer causes crash #11668

Open
jtotzid opened this issue Apr 18, 2024 · 3 comments
Open

Integer overflow in ZlibOutputBuffer causes crash #11668

jtotzid opened this issue Apr 18, 2024 · 3 comments

Comments

@jtotzid
Copy link

jtotzid commented Apr 18, 2024

In https://github.com/openxla/xla/blob/main/third_party/tsl/tsl/lib/io/zlib_outputbuffer.cc#L158 we are truncating a 64-bit size to 32-bit and comparing it to a threshold.

When the size of input data is too big it will wrap around and the check will pass: the truncated size is smaller than the available space (when it actually is not). This will then cause a crash at https://github.com/openxla/xla/blob/main/third_party/tsl/tsl/lib/io/zlib_outputbuffer.cc#L77.

May I suggest instead the integer cast to be:

if (bytes_to_write <= static_cast<size_t>(AvailableInputSpace())) {

i.e. you are casting to a larger, not a smaller, type.
@cheshire
Copy link
Member

Thanks ! Could you provide a test case?

@akuegel
Copy link
Member

akuegel commented Apr 22, 2024

I have fixed it in the way you suggested (2abc3fd). Please let me know whether it works now as expected.

@jtotzid
Copy link
Author

jtotzid commented Apr 29, 2024

thanks for the quick fix!
trying to build from source but encountering some hiccups...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cheshire @akuegel @jtotzid