From 5cd678753cb453e4f9584622749a791ac20a03d0 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 30 Jul 2025 21:43:27 -0700 Subject: [PATCH 1/2] Fix #847: missing range checks in statespace_*.h files CodeQL scans flagged lines like 353 in `lib/statespace_avx512.h`, reporting that the use of offset `m` should follow the range check: ```C++ while (rs[m] < csum && m < num_samples) { ``` In more detail: > The program contains an and-expression where the array access is defined before the range check. Consequently the array is accessed without any bounds checking. The range check does not protect the program from segmentation faults caused by attempts to read beyond the end of a buffer. The same error exists in the following files: * statespace_basic.h * statespace_sse.h * statespace_avx512.h * statespace_avx.h --- lib/statespace_avx.h | 2 +- lib/statespace_avx512.h | 2 +- lib/statespace_basic.h | 2 +- lib/statespace_sse.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/statespace_avx.h b/lib/statespace_avx.h index 876058bb4..f68733f0f 100644 --- a/lib/statespace_avx.h +++ b/lib/statespace_avx.h @@ -399,7 +399,7 @@ class StateSpaceAVX : double re = p[16 * k + j]; double im = p[16 * k + 8 + j]; csum += re * re + im * im; - while (rs[m] < csum && m < num_samples) { + while (m < num_samples && rs[m] < csum) { bitstrings.emplace_back(8 * k + j); ++m; } diff --git a/lib/statespace_avx512.h b/lib/statespace_avx512.h index 879fd89dc..e7f431183 100644 --- a/lib/statespace_avx512.h +++ b/lib/statespace_avx512.h @@ -350,7 +350,7 @@ class StateSpaceAVX512 : double re = p[32 * k + j]; double im = p[32 * k + 16 + j]; csum += re * re + im * im; - while (rs[m] < csum && m < num_samples) { + while (m < num_samples && rs[m] < csum) { bitstrings.emplace_back(16 * k + j); ++m; } diff --git a/lib/statespace_basic.h b/lib/statespace_basic.h index 6468483ad..41a7f8bf1 100644 --- a/lib/statespace_basic.h +++ b/lib/statespace_basic.h @@ -218,7 +218,7 @@ class StateSpaceBasic : double re = p[2 * k]; double im = p[2 * k + 1]; csum += re * re + im * im; - while (rs[m] < csum && m < num_samples) { + while (m < num_samples && rs[m] < csum) { bitstrings.emplace_back(k); ++m; } diff --git a/lib/statespace_sse.h b/lib/statespace_sse.h index cf41a09f3..a3ed52c95 100644 --- a/lib/statespace_sse.h +++ b/lib/statespace_sse.h @@ -359,7 +359,7 @@ class StateSpaceSSE : double re = p[8 * k + j]; double im = p[8 * k + 4 + j]; csum += re * re + im * im; - while (rs[m] < csum && m < num_samples) { + while (m < num_samples && rs[m] < csum) { bitstrings.emplace_back(4 * k + j); ++m; } From 60245e43514596cb063ee5ac27f397e570b20312 Mon Sep 17 00:00:00 2001 From: mhucka Date: Sun, 17 Aug 2025 02:46:30 +0000 Subject: [PATCH 2/2] Fix another case Caught by @pavoljuhas in review. --- lib/statespace_cuda_kernels.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/statespace_cuda_kernels.h b/lib/statespace_cuda_kernels.h index b54ebca9a..0bc4ba706 100644 --- a/lib/statespace_cuda_kernels.h +++ b/lib/statespace_cuda_kernels.h @@ -317,7 +317,7 @@ __global__ void SampleKernel(unsigned num_blocks, FP3 re = state[l]; FP3 im = state[l + warp_size]; csum += re * re + im * im; - while (rs[m] < csum && m < num_samples) { + while (m < num_samples && rs[m] < csum) { bitstrings[m++] = k0 + k; } }