hhr293 commented on code in PR #12299:
URL: https://github.com/apache/gluten/pull/12299#discussion_r3457191249


##########
cpp/core/utils/tac/ffor.hpp:
##########
@@ -418,82 +452,245 @@ inline size_t compress64(const uint64_t* input, size_t 
num, uint8_t* output) {
 }
 
 // Template-based decompress with alignment dispatch.
+// decodeBlock requires aligned uint64_t* input; when the caller's input
+// buffer is unaligned, we stage through tmpIn and memcpy in.
 template <bool InAligned, bool OutAligned>
-inline size_t decompress64Impl(const uint8_t* input, size_t inputSize, 
uint64_t* output) {
-  alignas(64) uint64_t tmpIn[kMaxValuesPerBlock];
+inline size_t decompress64Impl(const uint8_t* input, size_t inputSize, 
uint64_t* output, size_t outputSize) {
+  alignas(64) uint64_t tmpIn[kMaxValuesPerBlock + 2];
   alignas(64) uint64_t tmpOut[kMaxValuesPerBlock];
 
   const uint8_t* inPtr = input;
   const uint8_t* inEnd = input + inputSize;
+  const size_t outValuesMax = outputSize / sizeof(uint64_t);
   size_t nDecoded = 0;
 
   while (inPtr + kHeaderSize <= inEnd) {
-    uint8_t bw;
-    uint8_t count;
-    uint64_t base;
-    readHeader(inPtr, bw, count, base);
-    inPtr += kHeaderSize;
-
-    if (bw == kBwTailMarker) {
-      if (count > 0) {
-        // memcpy handles any alignment, no special case needed.
-        std::memcpy(reinterpret_cast<uint8_t*>(output) + nDecoded * 
sizeof(uint64_t), inPtr, count * sizeof(uint64_t));
+    if (inPtr[0] == kBwTailMarker) {
+      const uint8_t count = inPtr[1];
+      inPtr += kHeaderSize;
+      const size_t tailBytes = static_cast<size_t>(count) * sizeof(uint64_t);
+      if (count > 0 && inPtr + tailBytes <= inEnd && count <= outValuesMax - 
nDecoded) {
+        std::memcpy(reinterpret_cast<uint8_t*>(output) + nDecoded * 
sizeof(uint64_t), inPtr, tailBytes);
         nDecoded += count;
       }
       break;
     }

Review Comment:
   OOB is already closed by count > outValuesMax - nDecoded — any count is 
memory-safe. The tail path is a raw memcpy, not a parse, so count >= kLanes is 
well-defined to decode. The < kLanes invariant lives on the encoder side (while 
(remaining >= kLanes)), and the existing TypeAwareCompressCodec value-count 
check already surfaces malformed streams to the caller. Adding the check just 
moves which line the early-break triggers on without catching anything new.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to