bounter icon indicating copy to clipboard operation
bounter copied to clipboard
verified publisher icon piskvorky

Crash on Large Depth Initialization due to Unchecked malloc in C Extension

Open yhrscholar opened this issue 8 months ago • 0 comments

Description

Initializing a CountMinSketch with a very large, valid depth can cause a crash. In the C extension’s initialization function (CMS_VARIANT(_init) in cms_common.c), the top‐level table pointer is allocated without checking the return value:

// cms_common.c
self->table = (CMS_CELL_TYPE **) malloc(
    self->depth * sizeof(CMS_CELL_TYPE *));

If malloc fails (returns NULL), later uses of self->table lead to segmentation faults.

Steps to Reproduce

from bounter import CountMinSketch

trigger_width = 1
trigger_depth = 1 << 20  # e.g. 1,048,576
cms = CountMinSketch(width=trigger_width, depth=trigger_depth)

Expected Results

A Python‐level exception (e.g., MemoryError) should be raised, and the process should not crash.

Actual Results

The Python process crashes with a segmentation fault when later dereferencing self->table.

Version

Commit hash: 21aeda1

yhrscholar avatar Jun 15 '25 00:06 yhrscholar