Memory safety / potential out-of-bounds read during RDB deserialization

During RDB loading of binary quantized vectors, the code computed the number of bytes per vector using a simplistic expression: dim * (quant_type == HNSW_QUANT_Q8 ? 1 : 4). This could yield an incorrect vector_bytes for certain quantization configurations. The mismatch between vector_len and vector_bytes would only trigger a warning but not necessarily abort processing, leaving a potential path for out-of-bounds memory access or data corruption when deserializing vectors. The patch replaces the calculation with hnsw_quants_bytes(vset->hnsw), which derives the correct per-vector byte size from the current HNSW quantization settings, ensuring the bounds check is correct during RDB loading and preventing memory safety issues.

Author: antirez

Date: 2025-01-27 18:30 UTC

Message:

Vulnerability Type: Memory safety (buffer overflow)

Confidence: MEDIUM

Reasoning:

The change corrects the calculation of the expected vector byte size when loading binary quantities, aligning it with the actual HNSW quantization bytes. This tightens the bounds check during deserialization, reducing the risk of out-of-bounds memory access or corrupted data during RDB loading, which is a memory-safety vulnerability path.

Vulnerability Type: Memory safety / potential out-of-bounds read during RDB deserialization

Confidence: MEDIUM

Affected Versions: 8.6.2