Skip to content

fix: add integer overflow protection with minimal performance impact #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

fix: add integer overflow protection with minimal performance impact #123

wants to merge 7 commits into from

Conversation

jgowdy-godaddy
Copy link
Collaborator

Summary

  • Fixes 3 critical integer overflow vulnerabilities identified in code review
  • Uses performance-conscious approaches with branch prediction hints

Changes

  1. SetMaxStackAllocItemSize: Clamp values to [0, 1MB] range using std::max/min
  2. EstimateAsherahOutputSize: Add overflow check only for suspiciously large data (>1TB)
  3. AllocationSizeToMaxDataSize: Add buffer underflow check with unlikely branch hint

Performance Impact

  • Minimal overhead by using branch prediction hints (unlikely())
  • Overflow checks only trigger for edge cases
  • No performance impact on common code paths

Test plan

  • All existing tests pass
  • Manually tested with edge case values
  • No performance regression in benchmarks

🤖 Generated with Claude Code

@jgowdy-godaddy
fix: add integer overflow protection with minimal performance impact
9ca9616 
- SetMaxStackAllocItemSize: Clamp values to [0, 1MB] range using std::max/min
- EstimateAsherahOutputSize: Add overflow check only for suspiciously large data (>1TB)
- AllocationSizeToMaxDataSize: Add buffer underflow check with unlikely branch hint

All fixes use performance-conscious approaches with branch prediction hints
@jgowdy-godaddy jgowdy-godaddy force-pushed the fix-integer-overflow-issues branch from ce0c45e to 866042c Compare August 3, 2025 19:37
@jgowdy-godaddy jgowdy-godaddy force-pushed the fix-integer-overflow-issues branch from 8e29030 to 70c5c05 Compare August 3, 2025 19:57
@jgowdy-godaddy
fix: set GOTOOLCHAIN=local to prevent Go version mismatch
d686809 
Force use of installed Go version (1.24.0) instead of allowing automatic
download of Go 1.24.1 which causes version mismatch errors in CI.
@jgowdy-godaddy
fix: add --tag beta to npm publish dry-run
5ac46b3 
Prevent version conflict error when dry-running npm publish since
the package.json version is 0.0.0 but published version is 3.0.8.
@jgowdy-godaddy
fix: add missing hints.h include in scoped_allocate.h
1cd282e 
Fix arm64 build failure caused by undefined unlikely() macro.
The scoped_allocate.h file uses unlikely() but didn't include
hints.h where the macro is defined.
@jgowdy-godaddy
fix: remove unnecessary --tag beta from npm publish dry-run
2ce86ee
@jgowdy-godaddy
fix: add --tag dev to npm publish dry-run to avoid version error
ae45b7c 
The CI npm version requires a tag when the package.json version (0.0.0)
is lower than the published version (3.0.8), even for dry-run.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jgowdy-godaddy