Merge pull request #232 from 404Setup/sentinel-cuda-validation-7675462695814040533

404Setup · web-flow · commit b2c86a6e3a9f · 2026-02-18T20:54:52.000+08:00
🛡️ Sentinel: Validate GPU compression output sizes
diff --git a/src/batch_cuda.rs b/src/batch_cuda.rs
@@ -120,6 +120,17 @@ impl CudaBatchCompressor {
                 let offset = output_offsets[i] as usize;
                 let size = size as usize;
 
+                // Security: Validate GPU output sizes to prevent panics or OOB access
+                if offset.checked_add(size).ok_or("Integer overflow in offset calculation")? > total_output_bound {
+                    return Err("GPU returned invalid compressed size (buffer overflow)".into());
+                }
+
+                // Double check against expected bound
+                let expected_bound = crate::compress::Compressor::deflate_compress_bound(inputs[i].len());
+                if size > expected_bound {
+                    return Err("GPU returned invalid compressed size (exceeds bound)".into());
+                }
+
                 let slice = dev_output.slice(offset..offset + size);
                 let host_data = self.device.dtoh_sync_copy(&slice)?;
                 results.push(host_data);
