[PR] [fix](be) Validate TDigest sizes in quantile state [doris]

Mon, 25 May 2026 23:01:54 -0700 


zclllyybb opened a new pull request, #63662:
URL: https://github.com/apache/doris/pull/63662

   ### What problem does this PR solve?
   
   Issue Number: None
   
   Related PR: None
   
   Problem Summary: `quantile_state_from_base64()` decodes user-provided base64 
strings into `QuantileState::deserialize()`. `QuantileState::is_valid()` 
previously checked only the outer TDigest serialized length, while 
`TDigest::unserialize()` trusted nested vector count fields before resizing and 
copying from the input buffer. A malformed TDigest payload could therefore pass 
validation and drive out-of-bounds reads or oversized allocations during 
deserialization.
   
   This PR validates the serialized TDigest layout against the available buffer 
before `QuantileState` accepts it, including the total length and all nested 
vector count fields. It also tightens `QuantileState` length checks for 
explicit and TDigest payloads, and adds a BE unit test that starts from a real 
TDigest-backed `QuantileState`, corrupts one nested count after a base64 
roundtrip, and verifies validation and deserialization reject the payload.
   
   ### Release note
   
   Malformed TDigest quantile state payloads are now rejected during 
deserialization.
   
   ### Check List (For Author)
   
   - Test:
       - Unit Test: `./run-be-ut.sh --run 
--filter=function_quantile_state_test.rejects_tdigest_base64_with_corrupted_inner_count
 -j 90`
       - Unit Test: `./run-be-ut.sh --run 
--filter=function_quantile_state_test.* -j 90`
       - Static Analysis: `build-support/run-clang-tidy.sh`
       - Code Style: `python3 build-support/run_clang_format.py 
--clang-format-executable 
/mnt/disk6/common/ldb_toolchain_toucan/bin/clang-format --inplace false ...`
   - Behavior changed: Yes. Malformed TDigest-backed quantile state payloads 
are rejected instead of being accepted for deserialization.
   - Does this need documentation: No
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to