Skip to content

Fix integer overflows when decoding large payloads #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
PSeitz merged 4 commits into from
Oct 27, 2025
Merged

Fix integer overflows when decoding large payloads #192

PSeitz merged 4 commits into from
Oct 27, 2025

Conversation

@teh-cmc
Copy link
Contributor

@teh-cmc teh-cmc commented Oct 14, 2025
edited
Loading

This fixes an issue on 64bit platforms where encoding large payloads works as expected but decoding them subsequently fails.
The root cause is that write_integer expects host-sized integers (i.e. usize) while read_integer on the other hand always assumes 32bit integers.

This PR:

  • Adds a test demonstrating the issue (revert the fix to see it fail).
  • Fixes the issue by expecting usize everywhere. We could also go all the way and expect u64 everywhere instead, but I think keeping things host-sized by default is fine (yes, that means a 32bit host might still fail when decoding large enough data from a 64bit client).
  • Removes the unsafe implementation of write_integer. It is incompatible with values >32bits, and I don't think it is worth its weight in complexity in any case given how optimizer-friendly the safe version already is. Happy to revert that part if needed.

@teh-cmc teh-cmc mentioned this pull request Oct 14, 2025
Merged
2 tasks
This was referenced Oct 15, 2025
Open
Closed
@PSeitz
Copy link
Owner

PSeitz commented Oct 26, 2025

What's your use case? The block format is not a good match for such large payloads, since it requires everything to be in memory (compressed and decompressed data). The frame format is a better choice for large payloads.

@teh-cmc
Copy link
Contributor Author

teh-cmc commented Oct 27, 2025

What's your use case? The block format is not a good match for such large payloads, since it requires everything to be in memory (compressed and decompressed data). The frame format is a better choice for large payloads.

We use LZ4 blocks as a low-level primitive within a larger protocol that already manages its own framing. Under normal operation, these blocks are around ~1 MiB in size, but in certain rare edge cases outside our control, they can grow significantly larger. We’re fine with the extra memory cost in those situations, as long as the rest of the system remains stable.

@PSeitz PSeitz merged commit c1483c4 into PSeitz:main Oct 27, 2025
3 checks passed
@PSeitz
Copy link
Owner

PSeitz commented Oct 27, 2025

Thanks for the PR!

About the unsafe implementation of write_integer: The main difference currently seems to be for uncompressible data, where we get a large difference (~30%). But uncompressible data compression should already be fast enough, with its own fastpath.

@emilk
Copy link

emilk commented Oct 28, 2025

Thanks for merging this 🙏
Is there a patch release planned?

@PSeitz
Copy link
Owner

PSeitz commented Nov 11, 2025

Released with 0.12.0

@teh-cmc
Copy link
Contributor Author

teh-cmc commented Nov 12, 2025

Thank you!

teh-cmc added a commit to rerun-io/rerun that referenced this pull request Nov 12, 2025
@teh-cmc
LZ4 0.12 (fix decoding of unsually large chunks) (#11533)
8fd62ef 
This is a follow up to #11525. It
fixes the remaining half of
#11516.

We don't want to merge it as is yet. Let's see if we can get the fix
merged upstream first, so we don't have to depend on yet another fork:
* PSeitz/lz4_flex#192

---

* Fixes #11516

---

Checks:
* [x] `rerun` with `--nb_scans 3000` now works
* [x] `rerun rrd stats` with `--nb_scans 3000` now works
IsseW pushed a commit to rerun-io/rerun that referenced this pull request Nov 12, 2025
@teh-cmc @IsseW
LZ4 0.12 (fix decoding of unsually large chunks) (#11533)
d857328 
This is a follow up to #11525. It
fixes the remaining half of
#11516.

We don't want to merge it as is yet. Let's see if we can get the fix
merged upstream first, so we don't have to depend on yet another fork:
* PSeitz/lz4_flex#192

---

* Fixes #11516

---

Checks:
* [x] `rerun` with `--nb_scans 3000` now works
* [x] `rerun rrd stats` with `--nb_scans 3000` now works
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@teh-cmc @PSeitz @emilk