Harden Offset Validation for Bitmap Operations (#1610)

* bound validation for max 512MB strings

* add BITPOS validation

* add BITCOUNT offset validation

* addressing comments

* fix slot verification test

* addressing comments

* making check in backend bitfield call Debug.Assert

* fix formatting

* fix Release build

Author: vazois

libs/server/Resp/Bitmap/BitmapCommands.cs

@@ -138,7 +138,7 @@ private bool NetworkStringSetBit<TGarnetApi>(ref TGarnetApi storageApi)
             var sbKey = parseState.GetArgSliceByRef(0).SpanByte;
 
             // Validate offset
-            if (!parseState.TryGetLong(1, out var offset) || (offset < 0))
+            if (!parseState.TryGetLong(1, out var offset) || (offset < 0) || !BitmapManager.IsValidBitOffset(offset))
             {
                 return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_BITOFFSET_IS_NOT_INTEGER);
             }
@@ -178,7 +178,7 @@ private bool NetworkStringGetBit<TGarnetApi>(ref TGarnetApi storageApi)
             var sbKey = parseState.GetArgSliceByRef(0).SpanByte;
 
             // Validate offset
-            if (!parseState.TryGetLong(1, out var offset) || (offset < 0))
+            if (!parseState.TryGetLong(1, out var offset) || (offset < 0) || !BitmapManager.IsValidBitOffset(offset))
             {
                 return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_BITOFFSET_IS_NOT_INTEGER);
             }
@@ -205,29 +205,43 @@ private bool NetworkStringBitCount<TGarnetApi>(ref TGarnetApi storageApi)
             where TGarnetApi : IGarnetApi
         {
             var count = parseState.Count;
-            if (count < 1 || count > 4)
+            if (count is not 1 and not 3 and not 4)
             {
                 return AbortWithWrongNumberOfArguments(nameof(RespCommand.BITCOUNT));
             }
 
             // <[Get Key]>
             var sbKey = parseState.GetArgSliceByRef(0).SpanByte;
 
-            // Validate start & end offsets, if exist
-            if (parseState.Count > 1)
+            // Extract parameters in command order:
+            // start, end, [BIT|BYTE]
+            var useBitIndex = true;
+            if (count > 1)
             {
-                if (!parseState.TryGetInt(1, out _) || (parseState.Count > 2 && !parseState.TryGetInt(2, out _)))
+                if (!parseState.TryGetLong(1, out _) || !parseState.TryGetLong(2, out _))
                 {
                     return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_VALUE_IS_NOT_INTEGER);
                 }
-            }
 
-            var input = new RawStringInput(RespCommand.BITCOUNT, ref parseState, startIdx: 1);
+                if (count > 3)
+                {
+                    var spanOffsetType = parseState.GetArgSliceByRef(3).ReadOnlySpan;
+                    if (spanOffsetType.EqualsUpperCaseSpanIgnoringCase("BIT"u8))
+                        useBitIndex = true;
+                    else if (spanOffsetType.EqualsUpperCaseSpanIgnoringCase("BYTE"u8))
+                        useBitIndex = false;
+                    else
+                    {
+                        return AbortWithErrorMessage(CmdStrings.RESP_SYNTAX_ERROR);
+                    }
 
-            var o = new SpanByteAndMemory(dcurr, (int)(dend - dcurr));
 
-            var status = storageApi.StringBitCount(ref sbKey, ref input, ref o);
+                }
+            }
 
+            var input = new RawStringInput(RespCommand.BITCOUNT, ref parseState, startIdx: 1, arg1: useBitIndex ? 1 : 0);
+            var o = new SpanByteAndMemory(dcurr, (int)(dend - dcurr));
+            var status = storageApi.StringBitCount(ref sbKey, ref input, ref o);
             if (status == GarnetStatus.OK)
             {
                 if (!o.IsSpanByte)
@@ -251,7 +265,7 @@ private bool NetworkStringBitPosition<TGarnetApi>(ref TGarnetApi storageApi)
             where TGarnetApi : IGarnetApi
         {
             var count = parseState.Count;
-            if (count < 2 || count > 5)
+            if (count is < 2 or > 5)
             {
                 return AbortWithWrongNumberOfArguments(nameof(RespCommand.BITPOS));
             }
@@ -266,31 +280,57 @@ private bool NetworkStringBitPosition<TGarnetApi>(ref TGarnetApi storageApi)
                 return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_BIT_IS_NOT_INTEGER);
             }
 
-            // Validate start & end offsets, if exist
-            if (parseState.Count > 2)
+            long startOffset = 0;
+            long endOffset = -1;
+            byte offsetType = 0x0;
+            var hasStartOffset = false;
+            var hasEndOffset = false;
+
+            // Extract parameters in command order, consistent with PrivateMethods BITPOS decoding:
+            // bit, start, end, [BIT|BYTE]
+            if (count > 2)
             {
-                if (!parseState.TryGetInt(2, out _) ||
-                    (parseState.Count > 3 && !parseState.TryGetInt(3, out _)))
+                // start
+                if (!parseState.TryGetLong(2, out startOffset))
                 {
                     return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_VALUE_IS_NOT_INTEGER);
                 }
-            }
+                hasStartOffset = true;
 
-            // Validate offset range type (BIT / BYTE), if exists
-            if (parseState.Count > 4)
-            {
-                var sbOffsetType = parseState.GetArgSliceByRef(4).ReadOnlySpan;
-                if (!sbOffsetType.EqualsUpperCaseSpanIgnoringCase("BIT"u8) &&
-                    !sbOffsetType.EqualsUpperCaseSpanIgnoringCase("BYTE"u8))
+                if (count > 3)
                 {
-                    return AbortWithErrorMessage(CmdStrings.RESP_SYNTAX_ERROR);
+                    // end
+                    if (!parseState.TryGetLong(3, out endOffset))
+                    {
+                        return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_VALUE_IS_NOT_INTEGER);
+                    }
+                    hasEndOffset = true;
+
+                    if (count > 4)
+                    {
+                        // Optional index type (default BYTE)
+                        var sbOffsetType = parseState.GetArgSliceByRef(4).ReadOnlySpan;
+                        if (sbOffsetType.EqualsUpperCaseSpanIgnoringCase("BIT"u8))
+                        {
+                            offsetType = 0x1;
+                        }
+                        else if (!sbOffsetType.EqualsUpperCaseSpanIgnoringCase("BYTE"u8))
+                        {
+                            return AbortWithErrorMessage(CmdStrings.RESP_SYNTAX_ERROR);
+                        }
+                    }
                 }
             }
 
-            var input = new RawStringInput(RespCommand.BITPOS, ref parseState, startIdx: 1);
+            if (BitmapManager.TryValidateBitPosOffsets(startOffset, endOffset, offsetType, hasStartOffset, hasEndOffset))
+            {
+                while (!RespWriteUtils.TryWriteInt64(-1, ref dcurr, dend))
+                    SendAndReset();
+                return true;
+            }
 
+            var input = new RawStringInput(RespCommand.BITPOS, ref parseState, startIdx: 1);
             var o = new SpanByteAndMemory(dcurr, (int)(dend - dcurr));
-
             var status = storageApi.StringBitPosition(ref sbKey, ref input, ref o);
 
             if (status == GarnetStatus.OK)
@@ -385,17 +425,23 @@ private bool StringBitField<TGarnetApi>(ref TGarnetApi storageApi)
 
                 // [GET <encoding> <offset>] [SET <encoding> <offset> <value>] [INCRBY <encoding> <offset> <increment>]
                 // Process encoding argument
-                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldEncoding(currTokenIdx, out _, out _))
+                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldEncoding(currTokenIdx, out var bitCount, out _))
                 {
                     return AbortWithErrorMessage(CmdStrings.RESP_ERR_INVALID_BITFIELD_TYPE);
                 }
                 var encodingSlice = parseState.GetArgSliceByRef(currTokenIdx++);
 
                 // Process offset argument
-                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldOffset(currTokenIdx, out _, out _))
+                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldOffset(currTokenIdx, out var offset, out var multiplyOffset))
+                {
+                    return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_BITOFFSET_IS_NOT_INTEGER);
+                }
+
+                if (!BitmapManager.TryValidateBitfieldOffset(offset, (byte)bitCount, multiplyOffset, out _, out _))
                 {
                     return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_BITOFFSET_IS_NOT_INTEGER);
                 }
+
                 var offsetSlice = parseState.GetArgSliceByRef(currTokenIdx++);
 
                 // GET Subcommand takes 2 args, encoding and offset
@@ -467,17 +513,23 @@ private bool StringBitFieldReadOnly<TGarnetApi>(ref TGarnetApi storageApi)
                 // GET Subcommand takes 2 args, encoding and offset
 
                 // Process encoding argument
-                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldEncoding(currTokenIdx, out _, out _))
+                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldEncoding(currTokenIdx, out var bitCount, out _))
                 {
                     return AbortWithErrorMessage(CmdStrings.RESP_ERR_INVALID_BITFIELD_TYPE);
                 }
                 var encodingSlice = parseState.GetArgSliceByRef(currTokenIdx++);
 
                 // Process offset argument
-                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldOffset(currTokenIdx, out _, out _))
+                if ((currTokenIdx >= parseState.Count) || !parseState.TryGetBitfieldOffset(currTokenIdx, out var offset, out var multiplyOffset))
                 {
                     return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_BITOFFSET_IS_NOT_INTEGER);
                 }
+
+                if (!BitmapManager.TryValidateBitfieldOffset(offset, (byte)bitCount, multiplyOffset, out _, out _))
+                {
+                    return AbortWithErrorMessage(CmdStrings.RESP_ERR_GENERIC_BITOFFSET_IS_NOT_INTEGER);
+                }
+
                 var offsetSlice = parseState.GetArgSliceByRef(currTokenIdx++);
 
                 secondaryCommandArgs.Add((RespCommand.GET, [commandSlice, encodingSlice, offsetSlice]));

libs/server/Resp/Bitmap/BitmapManager.cs

@@ -1,7 +1,9 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
+using System;
 using System.Runtime.CompilerServices;
+using Garnet.common;
 
 #pragma warning disable IDE0054 // Use compound assignment
 #pragma warning disable IDE1006 // Naming Styles
@@ -14,12 +16,103 @@ namespace Garnet.server
     public unsafe partial class BitmapManager
     {
         static readonly byte[] lookup = [0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe, 0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf];
+        internal const int MaxBitmapPayloadBytes = 512 * 1024 * 1024;
+        internal const long MaxOffsetForBitmapLength = (MaxBitmapPayloadBytes * 8L) - 1;
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static int Index(long offset) => (int)(offset >> 3);
+        internal static bool IsValidBitOffset(long offset)
+            => (ulong)offset <= (ulong)MaxOffsetForBitmapLength;
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static int LengthInBytes(long offset) => (int)((offset >> 3) + 1);
+        internal static bool TryValidateLengthInBytes(long offset, out int lengthInBytes)
+        {
+            lengthInBytes = default;
+            if (!IsValidBitOffset(offset))
+                return false;
+
+            lengthInBytes = (int)((offset >> 3) + 1);
+            return true;
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        internal static bool TryValidateBitfieldOffset(long offset, byte bitCount, bool multiplyOffset, out long normalizedOffset, out long endOffset)
+        {
+            normalizedOffset = default;
+            endOffset = default;
+
+            if (bitCount == 0)
+                return false;
+
+            try
+            {
+                normalizedOffset = multiplyOffset
+                    ? checked(offset * bitCount)
+                    : offset;
+
+                if (normalizedOffset < 0)
+                    return false;
+
+                endOffset = checked(normalizedOffset + bitCount - 1);
+            }
+            catch (OverflowException)
+            {
+                return false;
+            }
+
+            return IsValidBitOffset(endOffset);
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        internal static bool TryValidateBitPosOffsets(long startOffset, long endOffset, byte offsetType, bool hasStartOffset, bool hasEndOffset)
+        {
+            // BYTE mode uses byte index bounds; BIT mode uses bit index bounds.
+            var maxOffset = offsetType == 0x1
+                ? MaxOffsetForBitmapLength
+                : MaxBitmapPayloadBytes - 1L;
+
+            if (hasStartOffset && (startOffset < -maxOffset || startOffset > maxOffset))
+                return true;
+
+            if (hasEndOffset && (endOffset < -maxOffset || endOffset > maxOffset))
+                return true;
+
+            return false;
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        internal static void NormalizeBitCountOffsets(ref long startOffset, ref long endOffset, byte offsetType)
+        {
+            // BYTE mode uses byte index bounds; BIT mode uses bit index bounds.
+            var maxOffset = offsetType == 0x1
+                ? MaxOffsetForBitmapLength
+                : MaxBitmapPayloadBytes - 1L;
+
+            if (startOffset < -maxOffset)
+                startOffset = -maxOffset;
+            else if (startOffset > maxOffset)
+                startOffset = maxOffset;
+
+            if (endOffset < -maxOffset)
+                endOffset = -maxOffset;
+            else if (endOffset > maxOffset)
+                endOffset = maxOffset;
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static int Index(long offset)
+        {
+            if (!IsValidBitOffset(offset))
+                throw new GarnetException("ERR value is not an integer or out of range.");
+            return (int)(offset >> 3);
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static int LengthInBytes(long offset)
+        {
+            if (!TryValidateLengthInBytes(offset, out var lengthInBytes))
+                throw new GarnetException("ERR value is not an integer or out of range.");
+            return lengthInBytes;
+        }
 
         /// <summary>
         /// Check to see if offset contained by value size
@@ -101,8 +194,8 @@ public static byte GetBit(long offset, byte* value, int valLen)
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static long ProcessNegativeOffset(long offset, int valLen)
-            => (offset % valLen) + valLen;
+        private static long ProcessNegativeOffset(long offset, long valLen)
+            => valLen <= 0 ? 0 : (offset % valLen) + valLen;
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static byte reverse(byte n)

libs/server/Resp/Bitmap/BitmapManagerBitCount.cs

@@ -65,6 +65,8 @@ public static long BitCountDriver(long startOffset, long endOffset, byte offsetT
         {
             long count = 0;
 
+            NormalizeBitCountOffsets(ref startOffset, ref endOffset, offsetType);
+
             // BYTE indexing
             if (offsetType == 0x0)
             {
@@ -80,8 +82,21 @@ public static long BitCountDriver(long startOffset, long endOffset, byte offsetT
             }
             else // BIT Flag
             {
-                startOffset = startOffset < 0 ? ProcessNegativeOffset(startOffset, valLen * 8) : startOffset;
-                endOffset = endOffset < 0 ? ProcessNegativeOffset(endOffset, valLen * 8) : endOffset;
+                var bitLen = (long)valLen * 8;
+                if (bitLen == 0)
+                    return 0;
+
+                startOffset = startOffset < 0 ? ProcessNegativeOffset(startOffset, bitLen) : startOffset;
+                endOffset = endOffset < 0 ? ProcessNegativeOffset(endOffset, bitLen) : endOffset;
+
+                if (startOffset >= bitLen)
+                    return 0;
+
+                if (startOffset > endOffset)
+                    return 0;
+
+                endOffset = endOffset >= bitLen ? bitLen - 1 : endOffset;
+
                 count += BitIndexCount(value, startOffset, endOffset);
 
                 // Adjust offsets to skip first and last byte

libs/server/Resp/Bitmap/BitmapManagerBitPos.cs

@@ -37,8 +37,9 @@ public static long BitPosDriver(byte* input, int inputLen, long startOffset, lon
             }
             else
             {
-                startOffset = startOffset < 0 ? ProcessNegativeOffset(startOffset, inputLen * 8) : startOffset;
-                endOffset = endOffset < 0 ? ProcessNegativeOffset(endOffset, inputLen * 8) : endOffset;
+                var bitLen = (long)inputLen * 8;
+                startOffset = startOffset < 0 ? ProcessNegativeOffset(startOffset, bitLen) : startOffset;
+                endOffset = endOffset < 0 ? ProcessNegativeOffset(endOffset, bitLen) : endOffset;
 
                 var startByteIndex = startOffset >> 3;
                 var endByteIndex = endOffset >> 3;
@@ -49,7 +50,7 @@ public static long BitPosDriver(byte* input, int inputLen, long startOffset, lon
                 if (startByteIndex > endByteIndex) // If start offset beyond endOffset return 0
                     return -1;
 
-                endOffset = endByteIndex >= inputLen ? inputLen << 3 : endOffset;
+                endOffset = endByteIndex >= inputLen ? bitLen : endOffset;
 
                 // BIT search
                 return BitPosBitSearch(input, inputLen, startOffset, endOffset, searchFor);
@@ -69,11 +70,11 @@ private static long BitPosBitSearch(byte* input, long inputLen, long startBitOff
         {
             var searchBit = searchFor == 1;
             var invalidPayload = (byte)(searchBit ? 0x00 : 0xff);
-            var currentBitOffset = (int)startBitOffset;
+            var currentBitOffset = startBitOffset;
             while (currentBitOffset <= endBitOffset)
             {
-                var byteIndex = currentBitOffset >> 3;
-                var leftBitOffset = currentBitOffset & 7;
+                var byteIndex = (int)(currentBitOffset >> 3);
+                var leftBitOffset = (int)(currentBitOffset & 7);
                 var boundary = 8 - leftBitOffset;
                 var rightBitOffset = currentBitOffset + boundary <= endBitOffset ? leftBitOffset + boundary : (int)(endBitOffset & 7) + 1;