Avoid overflow in index input slices invariant checks (#14126)

ChrisHegarty · ChrisHegarty · commit 1b494c51c87b · 2025-01-20T09:33:58.000Z
This commit avoids overflow in index input slices invariant checks.

While not a problem in practice, this can lead to more obscure failures which are harder to diagnose. Reworking the invariant checks to avoid the potential to overflow is trivial. Existing tests cover the most cases, while a single new scenario covered the overflow case.
diff --git a/lucene/CHANGES.txt b/lucene/CHANGES.txt
@@ -52,6 +52,9 @@ Bug Fixes
 
 * GITHUB#14123: SortingCodecReader NPE when segment has no (points, vectors, etc...) (Mike Sokolov)
 
+* GITHUB#14126: Avoid overflow in index input slices invariant checks
+  (Chris Hegarty)
+
 Other
 ---------------------
 
diff --git a/lucene/core/src/java/org/apache/lucene/store/BufferedIndexInput.java b/lucene/core/src/java/org/apache/lucene/store/BufferedIndexInput.java
@@ -401,7 +401,7 @@ private static final class SlicedIndexInput extends BufferedIndexInput {
               ? base.toString()
               : (base.toString() + " [slice=" + sliceDescription + "]"),
           BufferedIndexInput.BUFFER_SIZE);
-      if (offset < 0 || length < 0 || offset + length > base.length()) {
+      if ((length | offset) < 0 || length > base.length() - offset) {
         throw new IllegalArgumentException(
             "slice() " + sliceDescription + " out of bounds: " + base);
       }
diff --git a/lucene/core/src/java/org/apache/lucene/store/ByteBuffersDataInput.java b/lucene/core/src/java/org/apache/lucene/store/ByteBuffersDataInput.java
@@ -424,7 +424,7 @@ public void skipBytes(long numBytes) throws IOException {
   }
 
   public ByteBuffersDataInput slice(long offset, long length) {
-    if (offset < 0 || length < 0 || offset + length > this.length) {
+    if ((length | offset) < 0 || length > this.length - offset) {
       throw new IllegalArgumentException(
           String.format(
               Locale.ROOT,
diff --git a/lucene/core/src/java/org/apache/lucene/store/NIOFSDirectory.java b/lucene/core/src/java/org/apache/lucene/store/NIOFSDirectory.java
@@ -139,7 +139,7 @@ public NIOFSIndexInput clone() {
 
     @Override
     public IndexInput slice(String sliceDescription, long offset, long length) throws IOException {
-      if (offset < 0 || length < 0 || offset + length > this.length()) {
+      if ((length | offset) < 0 || length > this.length() - offset) {
         throw new IllegalArgumentException(
             "slice() "
                 + sliceDescription
diff --git a/lucene/core/src/java21/org/apache/lucene/store/MemorySegmentIndexInput.java b/lucene/core/src/java21/org/apache/lucene/store/MemorySegmentIndexInput.java
@@ -597,7 +597,7 @@ public final MemorySegmentIndexInput clone() {
    */
   @Override
   public final MemorySegmentIndexInput slice(String sliceDescription, long offset, long length) {
-    if (offset < 0 || length < 0 || offset + length > this.length) {
+    if ((length | offset) < 0 || length > this.length - offset) {
       throw new IllegalArgumentException(
           "slice() "
               + sliceDescription
diff --git a/lucene/misc/src/java/org/apache/lucene/misc/store/RAFDirectory.java b/lucene/misc/src/java/org/apache/lucene/misc/store/RAFDirectory.java
@@ -136,7 +136,7 @@ public RAFIndexInput clone() {
 
     @Override
     public IndexInput slice(String sliceDescription, long offset, long length) throws IOException {
-      if (offset < 0 || length < 0 || offset + length > this.length()) {
+      if ((length | offset) < 0 || length > this.length() - offset) {
         throw new IllegalArgumentException(
             "slice() " + sliceDescription + " out of bounds: " + this);
       }
diff --git a/lucene/test-framework/src/java/org/apache/lucene/tests/store/BaseDirectoryTestCase.java b/lucene/test-framework/src/java/org/apache/lucene/tests/store/BaseDirectoryTestCase.java
@@ -771,6 +771,12 @@ public void testSliceOutOfBounds() throws Exception {
             slice.slice("slice3sub", 1, len / 2);
           });
 
+      expectThrows(
+          IllegalArgumentException.class,
+          () -> {
+            i.slice("slice4", Long.MAX_VALUE - 1, 10);
+          });
+
       i.close();
     }
   }
diff --git a/lucene/test-framework/src/java/org/apache/lucene/tests/store/SerialIOCountingDirectory.java b/lucene/test-framework/src/java/org/apache/lucene/tests/store/SerialIOCountingDirectory.java
@@ -194,7 +194,7 @@ public IndexInput slice(String sliceDescription, long offset, long length) throw
     public IndexInput slice(
         String sliceDescription, long offset, long length, ReadAdvice readAdvice)
         throws IOException {
-      if (offset < 0 || offset + length > sliceLength) {
+      if ((length | offset) < 0 || length > sliceLength - offset) {
         throw new IllegalArgumentException();
       }
       IndexInput clone = in.clone();

Original file line number	Diff line number	Diff line change
`@@ -401,7 +401,7 @@ private static final class SlicedIndexInput extends BufferedIndexInput {`
`401`	`401`	`? base.toString()`
`402`	`402`	`: (base.toString() + " [slice=" + sliceDescription + "]"),`
`403`	`403`	`BufferedIndexInput.BUFFER_SIZE);`
`404`		`- if (offset < 0 \|\| length < 0 \|\| offset + length > base.length()) {`
	`404`	`+ if ((length \| offset) < 0 \|\| length > base.length() - offset) {`
`405`	`405`	`throw new IllegalArgumentException(`
`406`	`406`	`"slice() " + sliceDescription + " out of bounds: " + base);`
`407`	`407`	`}`
Original file line number	Diff line number	Diff line change
`@@ -424,7 +424,7 @@ public void skipBytes(long numBytes) throws IOException {`
`424`	`424`	`}`
`425`	`425`
`426`	`426`	`public ByteBuffersDataInput slice(long offset, long length) {`
`427`		`- if (offset < 0 \|\| length < 0 \|\| offset + length > this.length) {`
	`427`	`+ if ((length \| offset) < 0 \|\| length > this.length - offset) {`
`428`	`428`	`throw new IllegalArgumentException(`
`429`	`429`	`String.format(`
`430`	`430`	`Locale.ROOT,`
Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ public RAFIndexInput clone() {`
`136`	`136`
`137`	`137`	`@Override`
`138`	`138`	`public IndexInput slice(String sliceDescription, long offset, long length) throws IOException {`
`139`		`- if (offset < 0 \|\| length < 0 \|\| offset + length > this.length()) {`
	`139`	`+ if ((length \| offset) < 0 \|\| length > this.length() - offset) {`
`140`	`140`	`throw new IllegalArgumentException(`
`141`	`141`	`"slice() " + sliceDescription + " out of bounds: " + this);`
`142`	`142`	`}`
Original file line number	Diff line number	Diff line change
`@@ -771,6 +771,12 @@ public void testSliceOutOfBounds() throws Exception {`
`771`	`771`	`slice.slice("slice3sub", 1, len / 2);`
`772`	`772`	`});`
`773`	`773`
	`774`	`+ expectThrows(`
	`775`	`+ IllegalArgumentException.class,`
	`776`	`+ () -> {`
	`777`	`+ i.slice("slice4", Long.MAX_VALUE - 1, 10);`
	`778`	`+ });`
	`779`	`+`
`774`	`780`	`i.close();`
`775`	`781`	`}`
`776`	`782`	`}`
Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ public IndexInput slice(String sliceDescription, long offset, long length) throw`
`194`	`194`	`public IndexInput slice(`
`195`	`195`	`String sliceDescription, long offset, long length, ReadAdvice readAdvice)`
`196`	`196`	`throws IOException {`
`197`		`- if (offset < 0 \|\| offset + length > sliceLength) {`
	`197`	`+ if ((length \| offset) < 0 \|\| length > sliceLength - offset) {`
`198`	`198`	`throw new IllegalArgumentException();`
`199`	`199`	`}`
`200`	`200`	`IndexInput clone = in.clone();`