bounter icon indicating copy to clipboard operation
bounter copied to clipboard
verified publisher icon piskvorky

Crash on Large Width Initialization due to Unchecked calloc in C Extension

Open yhrscholar opened this issue 10 months ago • 1 comments

Description

Initializing a CountMinSketch object with a large, valid width can lead to crash.

The root cause lies within the C extension's initialization function (likely named CMS_VARIANT(_init) or similar, called internally by CMS_Log8, CMS_Log1024). This function allocates memory for each row of the sketch table using calloc:

self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));

the return value of this calloc call is not checked for NULL before being assigned

Steps/Code/Corpus to Reproduce

trigger_width = 1 << 31  # 2147483648
trigger_depth = 1
trigger_log_counting = None
try:
    cms = CountMinSketch(width=trigger_width,
                         depth=trigger_depth,
                         log_counting=trigger_log_counting)
except Exception as e:
    print(f"Caught Python exception (UNEXPECTED, crash is more likely): {e}")

Expected Results

When calloc fails within the C extension due to insufficient memory (triggered by the large width), the initialization should fail gracefully.

Actual Results

The Python process crashes, typically with a Segmentation Fault.

Version

commit hash: 21aeda1b88402bacb44ce92d05c08b632a1edb21

yhrscholar avatar Apr 23 '25 01:04 yhrscholar

Hi team,

Could you please take a look and confirm it at your earliest convenience? Thanks!

yhrscholar avatar May 07 '25 22:05 yhrscholar