Fix heap buffer overflow in NDCELL decompression path

[saddamr3e]

Fix a heap buffer overflow in the NDCELL filter caused by insufficient validation of block geometry embedded in the attacker-controlled b2nd metalayer.

Root Cause

ndcell_forward() and ndcell_backward() computed:

int32_t blocksize = (int32_t) typesize;
for (i = 0; i < ndim; i++) {
    blocksize *= blockshape[i];
}

using 32-bit arithmetic. A crafted blockshape could cause the product to wrap around and match the supplied block length, allowing malformed metadata to bypass validation.

Subsequent index calculations used the actual block dimensions, which could lead to out-of-bounds memory accesses during filter processing.

Fix

• Compute block size using int64_t.
• Reject non-positive typesize values.
• Reject non-positive blockshape dimensions.
• Abort processing when the running product exceeds the block length.
• Update validation checks to compare against the 64-bit block size.

Tests

Added a dedicated regression test covering:

• Blockshape values whose 32-bit product wraps onto the supplied block length.
• Zero block dimensions.
• Negative block dimensions.

[Copilot]

Pull request overview

Hardens the NDCELL filter’s decompression (and compression) paths against attacker-controlled b2nd metalayer geometry by preventing 32-bit overflow/wraparound in block-size validation, and adds a regression test to prevent reintroducing the issue.

Changes:

• Compute and validate blocksize using 64-bit arithmetic and reject invalid typesize / blockshape values early.
• Add a regression test that exercises wraparound and invalid blockshape dimensions.
• Wire the new regression test into the NDCELL plugin CMake/CTest targets.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
plugins/filters/ndcell/ndcell.c	Adds 64-bit blocksize validation and stricter geometry checks in forward/backward paths.
plugins/filters/ndcell/test_ndcell_oversized_blockshape.c	Introduces a regression test targeting oversized/wrapping and invalid blockshape metadata.
plugins/filters/ndcell/CMakeLists.txt	Builds and registers the new regression test with CTest.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[saddamr3e]

Changed int8_t cell_shape = (int8_t) meta; to int cell_shape = (int) meta; and added a cell_shape <= 0 guard before pow()/division. meta is a uint8_t (0–255); the old int8_t cast made 0 a divide-by-zero in (blockshape[i] + cell_shape - 1) / cell_shape and turned 128–255 into negative geometry.

[saddamr3e]

Same fix on the attacker-controlled decompression path, placed before cell_size/division use.

[saddamr3e]

"Length not equal to blocksize" now logs both values: "...%d %lld", length, (long long) blocksize, matching the forward path.

[saddamr3e]

Added a 64-byte 0xAC canary immediately after the output buffer and a post-call check, so a partial scatter-write that precedes the error return is caught — not just the return code. Added <string.h> for memset.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

[saddamr3e]

Fixed. cell_size is now int64_t, computed with checked multiplication that bails with BLOSC2_ERROR_FAILURE if the running product would exceed INT64_MAX — no more (int) pow() overflow/UB. The downstream guard is now cell_size > (int64_t) length / typesize, which can't overflow.

[saddamr3e]

Same fix applied here on the decompression path. Since meta is attacker-controlled, this matters more — checked 64-bit multiply rejects oversized cell_shape^ndim before it can bypass the buffer-size check, and the check itself is overflow-safe (length == blocksize guarantees the division is exact).

[saddamr3e]

Removed. ndcell.h is already included and declares ndcell_backward, so I dropped the local prototype to avoid signature drift.

[FrancescAlted]

LGTM. Thanks @saddamr3e !