Skip to content

Fix OOB heap read crash with malicious snapshot#9268

Merged
timvisee merged 4 commits into
devfrom
quantized-storage-size-check-on-load
Jun 3, 2026
Merged

Fix OOB heap read crash with malicious snapshot#9268
timvisee merged 4 commits into
devfrom
quantized-storage-size-check-on-load

Conversation

@timvisee

@timvisee timvisee commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Member

Fixes BBP-827.

Fixes out of bound heap read with a malicious snapshot. A snapshot could configure a different quantized vector length than what is actually stored. After loading the collection from such recovered snapshot, Qdrant may read out of bound.

This fixes the issue by enforcing a correct configured length (compared to storage) when loading quantized storage. If the configured length is not correct, an error is reported.

All Submissions:

  • My PR targets the dev branch (not master) and my branch was created from dev.
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Changes to Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@timvisee timvisee added bug Something isn't working security labels Jun 2, 2026
@qdrant qdrant deleted a comment from coderabbitai Bot Jun 3, 2026
@qdrant qdrant deleted a comment from coderabbitai Bot Jun 3, 2026
@timvisee timvisee marked this pull request as ready for review June 3, 2026 12:58
@timvisee timvisee merged commit 4e54bbc into dev Jun 3, 2026
16 checks passed
@timvisee timvisee deleted the quantized-storage-size-check-on-load branch June 3, 2026 13:17
timvisee added a commit that referenced this pull request Jun 3, 2026
@timvisee
Fix OOB heap read crash with malicious snapshot (#9268)
2db8e1c 
* Validate quantized u8 data size on load

* Validate other quantization types

* Add test

* Use fs_err
@timvisee timvisee mentioned this pull request Jun 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IvanPleshkov IvanPleshkov IvanPleshkov approved these changes

Assignees

No one assigned

Labels

bug Something isn't working security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timvisee @IvanPleshkov