rzstd 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 831259e481d6ea30d50a765ed67b4e574a2e71ba2bdfaba53ec7e529d07373a7
-  data.tar.gz: 158331395ece67a5f87ca0c6c42d7e8cc6f92fcc0dfd4334aa3830a663bce47b
+  metadata.gz: f499740d25842f109c142aaf1ff24648a317e10f3ac2600157fe73151bad7fc7
+  data.tar.gz: 21a645b344ae469809a95a1500d87cf72326e72c5d4d1005cc0cf7b15c07b05d
 SHA512:
-  metadata.gz: 60dafb7dde062a01c77db4d04b2aa337e29b831bcdc1d69eae5c7b89861e85f1c9f55326e9163bb2d66d913a55a5288e9de9a65e148462f5f2d7c2f32e442a3d
-  data.tar.gz: bef641270ddcc3b275579741a43143174f39e9ab6fba5c8fd899edb98a6ff8ddd0ba707ffdff62f5f0004b598ec778c85dcfaf346c3af6e8a22d625b25a51ada
+  metadata.gz: 070d5a73c25d55de6b04b2b373dd6bfd925381984346bf7683a57027dd77fadcd4c60941c2a408550116292f7181cefbd6ae62b618e529433519bbf4abb39569
+  data.tar.gz: 807f3d87206810f19d528630ea1e1054067e3c0e79ae6eebff97605715dbc8abdcf30f94898f3d21196be04cb7819d7e54382de0a76a2dc65cdea6521bf41a7a

data/Cargo.lock

@@ -334,7 +334,7 @@ checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
 
 [[package]]
 name = "rzstd"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "magnus",
  "rb-sys",

data/ext/rzstd/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name    = "rzstd"
-version = "0.1.0"
+version = "0.2.0"
 edition = "2021"
 
 [lib]

data/ext/rzstd/src/lib.rs

@@ -9,6 +9,8 @@ use zstd_safe::{CCtx, CParameter, DCtx};
 const ZSTD_FRAME_MAGIC: [u8; 4] = [0x28, 0xB5, 0x2F, 0xFD];
 
 static DECOMPRESS_ERROR: OnceLock<Opaque<ExceptionClass>> = OnceLock::new();
+static MISSING_CONTENT_SIZE_ERROR: OnceLock<Opaque<ExceptionClass>> = OnceLock::new();
+static OUTPUT_SIZE_LIMIT_ERROR: OnceLock<Opaque<ExceptionClass>> = OnceLock::new();
 
 fn decompress_error(ruby: &Ruby) -> ExceptionClass {
     ruby.get_inner(
@@ -18,6 +20,22 @@ fn decompress_error(ruby: &Ruby) -> ExceptionClass {
     )
 }
 
+fn missing_content_size_error(ruby: &Ruby) -> ExceptionClass {
+    ruby.get_inner(
+        *MISSING_CONTENT_SIZE_ERROR
+            .get()
+            .expect("MissingContentSizeError not initialized"),
+    )
+}
+
+fn output_size_limit_error(ruby: &Ruby) -> ExceptionClass {
+    ruby.get_inner(
+        *OUTPUT_SIZE_LIMIT_ERROR
+            .get()
+            .expect("OutputSizeLimitError not initialized"),
+    )
+}
+
 // ---------- module-level: persistent CCtx / DCtx for the no-dict path ----------
 //
 // The whole reason this gem exists is that the upstream `zstd-ruby` gem
@@ -64,36 +82,127 @@ fn rzstd_compress(ruby: &Ruby, rb_input: RString, level: i32) -> Result<RString,
     Ok(ruby.str_from_slice(&out))
 }
 
-fn rzstd_decompress(ruby: &Ruby, rb_input: RString) -> Result<RString, Error> {
-    // SAFETY: copy borrowed bytes before any Ruby allocation.
-    let compressed: Vec<u8> = unsafe { rb_input.as_slice().to_vec() };
+// Single-shot bounded decompress shared by the global and dictionary
+// paths. Returns the decoded plaintext or a tagged error so the caller
+// can map it onto the appropriate Ruby exception class. `max_output`
+// of 0 means "no upper bound set"; any other value enforces the RFC
+// rule that a frame's declared Frame_Content_Size must be present and
+// must fit within that cap, and rejects the frame on the header alone
+// (no decoder invocation, no output allocation) when either condition
+// is violated. With no cap set, frames lacking Frame_Content_Size fall
+// back to a 1 MiB ceiling (legacy behavior for third-party producers).
+//
+enum BoundedError {
+    BadMagic,
+    MissingContentSize,
+    OutputSizeLimit { declared: u64, limit: u64 },
+    DecoderFailed(String),
+}
+
 
-    // Reject anything that isn't a well-formed zstd frame up front. zstd
-    // permissively returns 0 for some malformed inputs and we'd rather not
-    // mask "sender forgot --compress" mistakes in callers.
+fn decompress_bounded(
+    compressed: &[u8],
+    max_output: usize,
+    dctx: &mut DCtx<'_>,
+) -> Result<Vec<u8>, BoundedError> {
     if compressed.len() < ZSTD_FRAME_MAGIC.len() || compressed[..4] != ZSTD_FRAME_MAGIC {
+        return Err(BoundedError::BadMagic);
+    }
+
+    let upper = match zstd_safe::get_frame_content_size(compressed) {
+        Ok(Some(n)) => {
+            if max_output != 0 && n > max_output as u64 {
+                return Err(BoundedError::OutputSizeLimit {
+                    declared: n,
+                    limit: max_output as u64,
+                });
+            }
+            if n > u64::from(u32::MAX) {
+                return Err(BoundedError::OutputSizeLimit {
+                    declared: n,
+                    limit: u64::from(u32::MAX),
+                });
+            }
+            n as usize
+        }
+        Ok(None) => {
+            if max_output != 0 {
+                return Err(BoundedError::MissingContentSize);
+            }
+            1024 * 1024
+        }
+        Err(_) => return Err(BoundedError::BadMagic),
+    };
+
+    let mut out = vec![0u8; upper];
+    let n = dctx
+        .decompress(&mut out, compressed)
+        .map_err(|code| BoundedError::DecoderFailed(format!("{code}")))?;
+    out.truncate(n);
+    Ok(out)
+}
+
+
+fn raise_bounded(ruby: &Ruby, err: BoundedError, prefix: &str) -> Error {
+    match err {
+        BoundedError::BadMagic => Error::new(
+            decompress_error(ruby),
+            format!("{prefix}: bad magic (input is not a Zstd frame)"),
+        ),
+        BoundedError::MissingContentSize => Error::new(
+            missing_content_size_error(ruby),
+            format!("{prefix}: Frame_Content_Size absent from frame header"),
+        ),
+        BoundedError::OutputSizeLimit { declared, limit } => Error::new(
+            output_size_limit_error(ruby),
+            format!("{prefix}: declared content size {declared} exceeds limit {limit}"),
+        ),
+        BoundedError::DecoderFailed(msg) => {
+            Error::new(decompress_error(ruby), format!("{prefix}: {msg}"))
+        }
+    }
+}
+
+
+// Reads the `Frame_Content_Size` field from a Zstandard frame header
+// without invoking the decoder. Returns `Some(n)` if the producer wrote
+// it, `None` if the frame header omits it, and an error if the input
+// isn't a well-formed Zstandard frame. Callers enforcing a bounded
+// decompressed size MUST use this before `decompress` to reject frames
+// whose declared size already exceeds their limit.
+fn rzstd_get_frame_content_size(
+    ruby: &Ruby,
+    rb_input: RString,
+) -> Result<Option<u64>, Error> {
+    let bytes: Vec<u8> = unsafe { rb_input.as_slice().to_vec() };
+    if bytes.len() < ZSTD_FRAME_MAGIC.len() || bytes[..4] != ZSTD_FRAME_MAGIC {
         return Err(Error::new(
             decompress_error(ruby),
             "zstd frame decode failed: bad magic (input is not a Zstd frame)",
         ));
     }
+    match zstd_safe::get_frame_content_size(&bytes) {
+        Ok(Some(n)) => Ok(Some(n)),
+        Ok(None) => Ok(None),
+        Err(code) => Err(Error::new(
+            decompress_error(ruby),
+            format!("zstd frame header parse failed: {code:?}"),
+        )),
+    }
+}
+
+
+fn rzstd_decompress(
+    ruby: &Ruby,
+    rb_input: RString,
+    max_output: usize,
+) -> Result<RString, Error> {
+    // SAFETY: copy borrowed bytes before any Ruby allocation.
+    let compressed: Vec<u8> = unsafe { rb_input.as_slice().to_vec() };
 
-    // Frames produced by `compress2` always carry frame_content_size, so
-    // we can preallocate exactly. For frames without it (third-party
-    // producers) we fall back to a 1 MiB ceiling and grow as needed.
-    let upper = match zstd_safe::get_frame_content_size(&compressed) {
-        Ok(Some(n)) if n <= u64::from(u32::MAX) => n as usize,
-        _ => 1024 * 1024,
-    };
-    let mut out = vec![0u8; upper];
     let mut dctx = global_dctx().lock().expect("global DCtx mutex poisoned");
-    let n = dctx.decompress(&mut out, &compressed).map_err(|code| {
-        Error::new(
-            decompress_error(ruby),
-            format!("zstd frame decode failed: {code}"),
-        )
-    })?;
-    out.truncate(n);
+    let out = decompress_bounded(&compressed, max_output, &mut dctx)
+        .map_err(|e| raise_bounded(ruby, e, "zstd frame decode failed"))?;
     Ok(ruby.str_from_slice(&out))
 }
 
@@ -208,37 +317,17 @@ fn dict_decompress(
     ruby: &Ruby,
     rb_self: &Dictionary,
     rb_input: RString,
+    max_output: usize,
 ) -> Result<RString, Error> {
-    let compressed: Vec<u8> = unsafe { rb_input.as_slice().to_vec() };
-    if compressed.len() < ZSTD_FRAME_MAGIC.len() || compressed[..4] != ZSTD_FRAME_MAGIC {
-        return Err(Error::new(
-            decompress_error(ruby),
-            "zstd dict frame decode failed: bad magic (input is not a Zstd frame)",
-        ));
-    }
-
     // Note: raw-content zstd dictionaries always produce a frame `dictID`
     // of 0, so we cannot use `get_dict_id_from_frame` for negotiation.
-    // The Dict_ID exposed by `Dictionary#id` is for out-of-band peer
-    // agreement (e.g. via the `dict:sha256:<hex>` profile string in the
-    // application protocol). On-wire mismatch is caught by the content
-    // checksum that the encoder enables — wrong dict bytes will produce
-    // a checksum failure here.
-
-    let upper = match zstd_safe::get_frame_content_size(&compressed) {
-        Ok(Some(n)) if n <= u64::from(u32::MAX) => n as usize,
-        _ => 1024 * 1024,
-    };
-    let mut out = vec![0u8; upper];
-
+    // On-wire dict mismatch is caught by the content checksum that the
+    // encoder enables — wrong dict bytes produce a checksum failure in
+    // the shared helper's decoder call.
+    let compressed: Vec<u8> = unsafe { rb_input.as_slice().to_vec() };
     let mut dctx = rb_self.dctx.lock().expect("Dictionary DCtx mutex poisoned");
-    let n = dctx.decompress(&mut out, &compressed).map_err(|code| {
-        Error::new(
-            decompress_error(ruby),
-            format!("zstd dict frame decode failed: {code}"),
-        )
-    })?;
-    out.truncate(n);
+    let out = decompress_bounded(&compressed, max_output, &mut dctx)
+        .map_err(|e| raise_bounded(ruby, e, "zstd dict frame decode failed"))?;
     Ok(ruby.str_from_slice(&out))
 }
 
@@ -310,10 +399,26 @@ fn init(ruby: &Ruby) -> Result<(), Error> {
         .set(Opaque::from(decompress_error_class))
         .unwrap_or_else(|_| panic!("init called more than once"));
 
+    let missing_content_size_error_class =
+        module.define_error("MissingContentSizeError", decompress_error_class)?;
+    MISSING_CONTENT_SIZE_ERROR
+        .set(Opaque::from(missing_content_size_error_class))
+        .unwrap_or_else(|_| panic!("init called more than once"));
+
+    let output_size_limit_error_class =
+        module.define_error("OutputSizeLimitError", decompress_error_class)?;
+    OUTPUT_SIZE_LIMIT_ERROR
+        .set(Opaque::from(output_size_limit_error_class))
+        .unwrap_or_else(|_| panic!("init called more than once"));
+
     // Bound as `_native_compress(bytes, level)`. Ruby's `RZstd.compress`
     // wraps this with a `level:` kwarg default — see `lib/rzstd.rb`.
     module.define_module_function("_native_compress", function!(rzstd_compress, 2))?;
-    module.define_module_function("decompress", function!(rzstd_decompress, 1))?;
+    module.define_module_function("_native_decompress", function!(rzstd_decompress, 2))?;
+    module.define_module_function(
+        "get_frame_content_size",
+        function!(rzstd_get_frame_content_size, 1),
+    )?;
 
     let dict_class = module.define_class("Dictionary", ruby.class_object())?;
     // Bound as `_native_new(bytes, id, level)`. Ruby's `RZstd::Dictionary.new(bytes)`
@@ -321,7 +426,7 @@ fn init(ruby: &Ruby) -> Result<(), Error> {
     dict_class.define_singleton_method("_native_new", function!(dict_initialize, 3))?;
     dict_class.define_singleton_method("_native_train", function!(rzstd_train, 3))?;
     dict_class.define_method("compress", method!(dict_compress, 1))?;
-    dict_class.define_method("decompress", method!(dict_decompress, 1))?;
+    dict_class.define_method("_native_decompress", method!(dict_decompress, 2))?;
     dict_class.define_method("size", method!(dict_size, 0))?;
     dict_class.define_method("id", method!(dict_id, 0))?;
 

data/lib/rzstd/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RZstd
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/rzstd.rb

@@ -15,7 +15,20 @@ module RZstd
     _native_compress(bytes, Integer(level))
   end
 
+  # Bounded single-shot decompression. When `max_output_size:` is given,
+  # the Rust extension reads the frame's Frame_Content_Size header, raises
+  # MissingContentSizeError if absent, and raises OutputSizeLimitError if
+  # the declared size exceeds the limit — all before allocating the output
+  # buffer or invoking the decoder. When nil, frames without FCS fall back
+  # to a 1 MiB ceiling.
+  def self.decompress(bytes, max_output_size: nil)
+    _native_decompress(bytes, Integer(max_output_size || 0))
+  end
+
   class Dictionary
+    def decompress(bytes, max_output_size: nil)
+      _native_decompress(bytes, Integer(max_output_size || 0))
+    end
     # Public constructor. Derives the Zstd `Dict_ID` from the dictionary
     # bytes (sha256 truncated to the first 4 bytes, little-endian) and
     # forwards to the Rust extension. The id is for out-of-band peer

data/tmp/x86_64-linux/stage/ext/rzstd/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name    = "rzstd"
-version = "0.1.0"
+version = "0.2.0"
 edition = "2021"
 
 [lib]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rzstd
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Patrik Wenger