fix: consolidated numeric overflow/underflow prevention with saturating operations #71
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ng operations This PR consolidates the following numeric safety fixes: - #39: Use saturating casts in git_info to prevent overflow - #40: Use saturating casts for token counts in streaming - #41: Use saturating subtraction to prevent underflow in compaction All changes use saturating arithmetic operations: - Replaced direct casts with saturating_sub and try_into - Prevents panic on numeric overflow/underflow conditions
This was referenced Feb 4, 2026
Greptile OverviewGreptile SummaryThis PR consolidates three numeric safety fixes to prevent overflow and underflow conditions across different components: Changes Made:
Impact: Confidence Score: 5/5
|
| Filename | Overview |
|---|---|
| src/cortex-compact/src/compactor.rs | Replaced arithmetic with saturating operations to prevent underflow when calculating tokens_after |
| src/cortex-engine/src/git_info.rs | Added saturation when casting usize line counts to u32 to prevent truncation overflow |
| src/cortex-engine/src/streaming.rs | Implemented saturating_i64_to_u32 helper to safely convert token counts with bounds checking |
Sequence Diagram
sequenceDiagram
participant App as Application Code
participant Comp as Compactor
participant Git as GitInfo
participant Stream as Streaming
Note over App,Stream: Numeric Overflow/Underflow Prevention
App->>Comp: compact(items, summary_text, current_tokens)
Note over Comp: tokens_in_compacted may exceed current_tokens
Comp->>Comp: saturating_sub(current_tokens, tokens_in_compacted)
Note over Comp: Prevents underflow: min value = 0
Comp->>Comp: saturating_add(result, summary_tokens)
Note over Comp: Prevents overflow: max value = usize::MAX
Comp-->>App: CompactionResult with safe tokens_after
App->>Git: GitInfo::from_path(path)
Git->>Git: count status lines (returns usize)
Note over Git: Line count may exceed u32::MAX
Git->>Git: min(count, u32::MAX as usize) as u32
Note over Git: Saturates to u32::MAX if too large
Git-->>App: GitInfo with safe u32 counts
App->>Stream: Convert TokenUsage (i64) to StreamTokenUsage (u32)
Note over Stream: Token values may be negative or > u32::MAX
Stream->>Stream: saturating_i64_to_u32(input_tokens)
alt value <= 0
Stream->>Stream: Return 0
else value > u32::MAX
Stream->>Stream: Return u32::MAX
else valid range
Stream->>Stream: Return value as u32
end
Stream-->>App: StreamTokenUsage with safe u32 tokens
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
Author
|
Closing this PR to consolidate into a single mega-PR combining all bug fixes. The changes will be included in a new consolidated PR. |
echobt
added a commit
that referenced
this pull request
Feb 4, 2026
This PR consolidates all bug fixes and security improvements from PRs #69-88 into a single cohesive change. ## Categories ### Security Fixes - Path traversal prevention in MCP and session storage - Shell injection prevention in restore scripts - Secure random temp files for external editor - TOCTOU race condition fixes ### TUI Improvements - Overflow prevention for u16 conversions - Cursor positioning fixes in selection lists - Unicode width handling for popups - Empty section handling in help browser ### Error Handling - Graceful semaphore and init failure handling - Improved error propagation in middleware - Better client access error handling - SystemTime operation safety ### Memory and Storage - Cache size limits to prevent unbounded growth - File lock cleanup for memory leak prevention - fsync after critical writes for durability - Bounded ToolResponseStore with automatic cleanup ### Protocol Robustness - Buffer size limits for StreamProcessor - ToolState transition validation - State machine documentation ### Numeric Safety - Saturating operations to prevent overflow/underflow - Safe UTF-8 string slicing throughout codebase ### Tools - Parameter alias support for backward compatibility - Handler name consistency fixes ## Files Modified Multiple files across cortex-tui, cortex-engine, cortex-exec, cortex-common, cortex-protocol, cortex-storage, cortex-mcp-server, and other crates. Closes #69, #70, #71, #73, #75, #80, #82, #87, #88
echobt
added a commit
that referenced
this pull request
Feb 4, 2026
This PR consolidates all bug fixes and security improvements from PRs #69-88 into a single cohesive change. ## Categories ### Security Fixes - Path traversal prevention in MCP and session storage - Shell injection prevention in restore scripts - Secure random temp files for external editor - TOCTOU race condition fixes ### TUI Improvements - Overflow prevention for u16 conversions - Cursor positioning fixes in selection lists - Unicode width handling for popups - Empty section handling in help browser ### Error Handling - Graceful semaphore and init failure handling - Improved error propagation in middleware - Better client access error handling - SystemTime operation safety ### Memory and Storage - Cache size limits to prevent unbounded growth - File lock cleanup for memory leak prevention - fsync after critical writes for durability - Bounded ToolResponseStore with automatic cleanup ### Protocol Robustness - Buffer size limits for StreamProcessor - ToolState transition validation - State machine documentation ### Numeric Safety - Saturating operations to prevent overflow/underflow - Safe UTF-8 string slicing throughout codebase ### Tools - Parameter alias support for backward compatibility - Handler name consistency fixes ## Files Modified Multiple files across cortex-tui, cortex-engine, cortex-exec, cortex-common, cortex-protocol, cortex-storage, cortex-mcp-server, and other crates. Closes #69, #70, #71, #73, #75, #80, #82, #87, #88
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR consolidates 3 numeric safety fixes into a single, cohesive change.
Included PRs:
Changes:
saturating_subandtry_intoFiles Modified:
src/cortex-compact/src/compactor.rssrc/cortex-engine/src/git_info.rssrc/cortex-engine/src/streaming.rsCloses #39, #40, #41