Cap window_size and distance in glcm_texture (#1257)#1259
Merged
Conversation
glcm_texture() validated window_size only as >= 3 and distance only as >= 1, with no upper bound on either. The numba kernel iterates range(r-half, r+half+1) for every pixel, so window_size=1_000_001 on a 10x10 raster ran roughly 10**14 loop iterations with every neighbor failing the interior bounds check -- a CPU-time DoS from one int passed to the public API. The dask backends additionally use depth = window_size // 2 + distance for map_overlap padding, so the same input also caused oversize per-chunk allocations (memory DoS). Add caps in the public entrypoint: - window_size <= max(3, min(rows, cols)) - distance <= max(1, window_size // 2) The floor of 3 / 1 keeps the error messages coherent for very small rasters (1x1, 2x2) where the existing "must be odd, >= 3" contract would otherwise become unsatisfiable. One cap covers all four backends because cupy and dask+cupy call through to the CPU kernel after a cupy.asnumpy transfer. levels is already capped at 256 so the per-pixel np.zeros((levels, levels)) matrix is bounded. No other changes to the kernel.
This was referenced Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
window_sizeatmax(3, min(rows, cols))anddistanceatmax(1, window_size // 2)inglcm_texture().window_size=1_000_001on a 10x10 raster ran ~10**14 numba loop iterations (CPU DoS), and the dask backends padded every block by(window_size, window_size)on top of the chunk (memory DoS). See glcm: unbounded window_size and distance enable CPU and memory DoS #1257.levelsis already capped at 256, so the per-pixelnp.zeros((levels, levels))matrix is bounded. No change there.glcmin.claude/sweep-security-state.json.Test plan
window_sizeand oversizedistanceat the public entrypoint.window_size == min(rows, cols),distance == window_size // 2) still work.window_size=7does not trip the new cap.pytest xrspatial/tests/test_glcm.pypasses (34/34).Closes #1257.