Skip to content

fix: harden encoder/decoder against UB, data races, and corrupted input#57

Merged
facontidavide merged 5 commits intomainfrom
fix/hardening-robustness-review
Feb 21, 2026
Merged

fix: harden encoder/decoder against UB, data races, and corrupted input#57
facontidavide merged 5 commits intomainfrom
fix/hardening-robustness-review

Conversation

@facontidavide
Copy link
Owner

@facontidavide facontidavide commented Feb 17, 2026

Summary

  • Fix decodeVarint UB: move shift overflow check before the shift operation to prevent undefined behavior on malformed 11+ byte varints
  • Fix decodeVarint underflow: guard against uval==0 (corrupted data) wrapping uint64_t to UINT64_MAX
  • Fix worker thread deadlock: detect dead compression worker on subsequent encode() calls instead of hanging forever
  • Fix WASM encode performance: compute MaxCompressedSize first and encode directly into caller's buffer when it fits, avoiding unnecessary heap allocation + memcpy
  • Clean up worker error semantics: only set worker_failed_ (not compression_done_) in catch block for clearer signal separation
  • Optimize encode(BufferView&): use header_.size() directly instead of re-serializing YAML via MaxCompressedSize
  • Improve error messages: include field name and type in MaxSerializedFieldSize errors
  • Add <cstring> include: make memcpy dependency explicit in encoding_utils.hpp
  • Fix FloatLossy test: kResolution was double, causing CTAD to deduce <double> template on float data — changed to float
  • Re-enable tests: uncomment test_field_encoders.cpp, test_intrinsics.cpp, test_header.cpp in CMakeLists and remove skip-tests from CI

Test plan

  • All 9 unit tests pass (including previously disabled ones)
  • Clean build with no warnings
  • Pre-commit hooks pass (clang-format, yaml, etc.)
  • Verify CI passes on Humble and Jazzy workflows

🤖 Generated with Claude Code

facontidavide and others added 2 commits February 17, 2026 22:03
@facontidavide @claude
fix: harden encoder/decoder against UB, data races, and corrupted input
5cf6d1d 
Address issues found during code review:
- Fix decodeVarint shift UB: check overflow before shift operation
- Fix decodeVarint underflow: guard against uval==0 on corrupted data
- Fix worker thread deadlock: detect dead worker on subsequent encode()
- Fix WASM encode: avoid extra allocation by encoding directly when buffer fits
- Clean up waitForCompressionComplete: only set worker_failed_ in error path
- Optimize encode(BufferView&): use header_.size() instead of YAML reserialization
- Improve readability and error messages in DecodeHeader/MaxSerializedFieldSize
- Add explicit <cstring> include in encoding_utils.hpp
- Fix pre-existing FloatLossy test bug: use float instead of double for kResolution
- Re-enable previously commented-out tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@facontidavide @claude
fix: additional hardening for decoder bounds checks and encoder threa…
59b6e06 
…d safety

- Add per-point bounds check in decodeChunk to replace per-field checks in
  fixed-size decoders (FieldDecoderCopy, FieldDecoderFloat_XOR), eliminating
  12-14% decode overhead while maintaining safety
- Keep per-field checks for variable-size decoders (Float_Lossy, FloatN_Lossy)
  where overhead is negligible relative to varint decoding
- Fix encoder deadlock on re-use after worker thread failure by joining dead
  thread and re-spawning; protect shared state resets with mutex
- Tighten decodeVarint overflow check from shift>=64 to shift>=63
- Derive point count from actual data size in ROS conversion instead of
  trusting metadata width*height to prevent over-allocation DoS

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@facontidavide facontidavide force-pushed the fix/hardening-robustness-review branch 5 times, most recently from 1d3f433 to 084f2e2 Compare February 21, 2026 03:18
@facontidavide @claude
fix: remove non-existent apt package from Jazzy CI workflow
62a14f7 
python3-ament-package does not exist on Ubuntu 24.04. The setup-ros
action and action-ros-ci already handle installing colcon and ament
dependencies, matching the working Humble CI workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@facontidavide facontidavide force-pushed the fix/hardening-robustness-review branch from 084f2e2 to 62a14f7 Compare February 21, 2026 03:25
@facontidavide facontidavide merged commit 74396e0 into main Feb 21, 2026
3 checks passed
@facontidavide facontidavide deleted the fix/hardening-robustness-review branch February 21, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@facontidavide