Skip to content

fix(core): prevent integer overflow in parse_into_range for u64::MAX bounds#7397

Open
TennyZhuang wants to merge 2 commits intoapache:mainfrom
TennyZhuang:fix/parse-into-range-overflow
Open

fix(core): prevent integer overflow in parse_into_range for u64::MAX bounds#7397
TennyZhuang wants to merge 2 commits intoapache:mainfrom
TennyZhuang:fix/parse-into-range-overflow

Conversation

@TennyZhuang
Copy link
Copy Markdown
Contributor

@TennyZhuang TennyZhuang commented Apr 17, 2026

Which issue does this PR close?

N/A — discovered via code review of boundary edge cases.

Rationale for this change

ReadContext::parse_into_range converts RangeBounds<u64> into Range<u64> by adding 1 for Bound::Excluded start and Bound::Included end. When the bound value is u64::MAX, this causes:

  • Debug builds: panic due to integer overflow
  • Release builds: silent wraparound to 0, producing an incorrect range

Both outcomes are wrong. Users can trigger this with ranges like ..=u64::MAX or (Bound::Excluded(u64::MAX), Bound::Unbounded).

What changes are included in this PR?

  • Replace v + 1 with v.checked_add(1) for both Bound::Excluded start and Bound::Included end in parse_into_range
  • Return ErrorKind::RangeNotSatisfied on overflow instead of panicking or wrapping
  • Add two deterministic tests covering the u64::MAX edge cases

Are there any user-facing changes?

Ranges that previously caused a panic (debug) or silent incorrect behavior (release) now return a clear RangeNotSatisfied error.

AI Usage Statement

This PR was authored with assistance from Claude (Anthropic), used for code review, bug identification, fix implementation, and test writing.

@TennyZhuang @claude
fix(core): prevent integer overflow in parse_into_range for u64::MAX …
6933f4d 
…bounds

`parse_into_range` uses `v + 1` to convert `Bound::Excluded` start and
`Bound::Included` end bounds into a `Range<u64>`. When users pass
`..=u64::MAX` or `(Bound::Excluded(u64::MAX), ..)`, this causes:
- Panic in debug builds (integer overflow)
- Silent wrap to 0 in release builds (incorrect range calculation)

Both are user-triggerable through public Reader methods like `read()`,
`read_into()`, `into_stream()`, `into_futures_async_read()`, and
`into_bytes_stream()`, all of which accept `RangeBounds<u64>`.

Fix: use `checked_add(1)` and return `ErrorKind::RangeNotSatisfied`
when the bound value cannot be incremented.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@TennyZhuang TennyZhuang requested a review from Xuanwo as a code owner April 17, 2026 06:57
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. releases-note/fix The PR fixes a bug or has a title that begins with "fix" labels Apr 17, 2026
@TennyZhuang TennyZhuang mentioned this pull request Apr 17, 2026
Open
@TennyZhuang @claude
fix: rustfmt formatting for assert macro
6c6830c 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xuanwo Xuanwo Awaiting requested review from Xuanwo Xuanwo is a code owner

1 more reviewer

@dentiny dentiny dentiny approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

releases-note/fix The PR fixes a bug or has a title that begins with "fix" size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TennyZhuang @dentiny