Additional hardening of index load path#4817
Closed
scsiguy wants to merge 1 commit intofacebookresearch:mainfrom
Closed
Additional hardening of index load path#4817scsiguy wants to merge 1 commit intofacebookresearch:mainfrom
scsiguy wants to merge 1 commit intofacebookresearch:mainfrom
Conversation
Summary: Address input validation gaps in the load path: #: 1 FPE (divide-by-zero) Location: ProductQuantizer::set_derived_values() Root Cause: M=0 causes d % M to divide by zero Fix: Validate M > 0 in read_ProductQuantizer and set_derived_values() ──────────────────────────────────────── #: 2 OOB vector access Location: AdditiveQuantizer::set_derived_values() Root Cause: nbits.size() != M causes access to nbits[i] beyond bounds Fix: Validate nbits.size() == M in read_AdditiveQuantizer ──────────────────────────────────────── #: 3 OOB vector access Location: ResidualQuantizer old format Root Cause: Same as facebookresearch#2 but via read_ResidualQuantizer_old path Fix: Validate nbits.size() == M in read_ResidualQuantizer_old ──────────────────────────────────────── #: 4 Integer overflow Location: ProductQuantizer::set_derived_values() Root Cause: d * ksub overflows when nbits is large Fix: Use mul_no_overflow() for centroids.resize(), moved nbits > 24 check before code_size computation ──────────────────────────────────────── #: 5 FPE (divide-by-zero) + stack overflow Location: IndexLattice constructor Root Cause: nsq=0 causes d/nsq divide-by-zero; garbage nsq causes stack overflow in ZnSphereCodec Fix: Validate nsq > 0, d > 0, d % nsq == 0, r2 >= 0 before construction Files Modified Reviewed By: mdouze Differential Revision: D93486058
Contributor
scsiguy
added a commit
to scsiguy/faiss
that referenced
this pull request
Feb 19, 2026
Summary: Address input validation gaps in the load path: #: 1 FPE (divide-by-zero) Location: ProductQuantizer::set_derived_values() Root Cause: M=0 causes d % M to divide by zero Fix: Validate M > 0 in read_ProductQuantizer and set_derived_values() ──────────────────────────────────────── #: 2 OOB vector access Location: AdditiveQuantizer::set_derived_values() Root Cause: nbits.size() != M causes access to nbits[i] beyond bounds Fix: Validate nbits.size() == M in read_AdditiveQuantizer ──────────────────────────────────────── #: 3 OOB vector access Location: ResidualQuantizer old format Root Cause: Same as facebookresearch#2 but via read_ResidualQuantizer_old path Fix: Validate nbits.size() == M in read_ResidualQuantizer_old ──────────────────────────────────────── #: 4 Integer overflow Location: ProductQuantizer::set_derived_values() Root Cause: d * ksub overflows when nbits is large Fix: Use mul_no_overflow() for centroids.resize(), moved nbits > 24 check before code_size computation ──────────────────────────────────────── #: 5 FPE (divide-by-zero) + stack overflow Location: IndexLattice constructor Root Cause: nsq=0 causes d/nsq divide-by-zero; garbage nsq causes stack overflow in ZnSphereCodec Fix: Validate nsq > 0, d > 0, d % nsq == 0, r2 >= 0 before construction Files Modified Reviewed By: mdouze Differential Revision: D93486058
Contributor
|
This pull request has been merged in d260887. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
Address input validation gaps in the load path:
#: 1
FPE (divide-by-zero)
Location: ProductQuantizer::set_derived_values()
Root Cause: M=0 causes d % M to divide by zero
Fix: Validate M > 0 in read_ProductQuantizer and set_derived_values()
────────────────────────────────────────
#: 2
OOB vector access
Location: AdditiveQuantizer::set_derived_values()
Root Cause: nbits.size() != M causes access to nbits[i] beyond bounds
Fix: Validate nbits.size() == M in read_AdditiveQuantizer
────────────────────────────────────────
#: 3
OOB vector access
Location: ResidualQuantizer old format
Root Cause: Same as #2 but via read_ResidualQuantizer_old path
Fix: Validate nbits.size() == M in read_ResidualQuantizer_old
────────────────────────────────────────
#: 4
Integer overflow
Location: ProductQuantizer::set_derived_values()
Root Cause: d * ksub overflows when nbits is large
Fix: Use mul_no_overflow() for centroids.resize(), moved nbits > 24 check
before code_size computation
────────────────────────────────────────
#: 5
FPE (divide-by-zero) + stack overflow
Location: IndexLattice constructor
Root Cause: nsq=0 causes d/nsq divide-by-zero; garbage nsq causes stack
overflow in ZnSphereCodec
Fix: Validate nsq > 0, d > 0, d % nsq == 0, r2 >= 0 before construction
Files Modified
Reviewed By: mdouze
Differential Revision: D93486058