Skip to content

fix(graph): bounds-check vertex indices in insert_edge (#34)#37

Merged
bushidocodes merged 1 commit into
masterfrom
fix/issue-34-insert-edge-bounds
Jun 13, 2026
Merged

fix(graph): bounds-check vertex indices in insert_edge (#34)#37
bushidocodes merged 1 commit into
masterfrom
fix/issue-34-insert-edge-bounds

Conversation

@bushidocodes

Copy link
Copy Markdown
Owner

Summary

Fixes #34. insert_edge in src/sean/wasm/graph.c wrote g->edges[source], g->degree[source] (and the undirected mirror at destination) without any bounds check. Those arrays are fixed-size MAXV + 1 (valid 1-indexed range [1, MAXV]), so a vertex index outside that range — reachable from JavaScript via the exported insertEdge() WASM API — writes past the end of the arrays and corrupts WASM linear memory. It also set number_vertices = max unconditionally, which would later drive build_csr to allocate/iterate out of bounds.

Fix

  • Add a guard at the top of insert_edge (before the number_vertices update) rejecting any source/destination outside [1, MAXV], with a stderr message and early return.
  • Placement matters: guarding before number_vertices = max prevents an out-of-range index from poisoning build_csr's sizing/iteration.
  • Mirrors the Issue Kruskal: fixed 200-element arrays overflow on JS-supplied edge/vertex counts #9 fix in kruskal's insertadjver. The public insertEdge() in main.c forwards straight through to insert_edge, so the single guard covers the WASM entry point.

Tests

Two Unity regression tests in test_graph.c:

  • test_insert_edge_rejects_oversized_vertex — source/destination > MAXV
  • test_insert_edge_rejects_nonpositive_vertex — vertex 0 / negative

Both fail red without the guard (number_vertices becomes non-zero) and pass green with it. Verified locally:

7 Tests 0 Failures 0 Ignored   # test-sean (was 5)

🤖 Generated with Claude Code

insert_edge wrote g->edges[source]/g->degree[source] (and the undirected
mirror at [destination]) with no bounds check. edges[]/degree[] are
fixed-size MAXV+1 arrays, so a vertex index outside the valid 1-indexed
[1, MAXV] range — reachable from JS via the exported insertEdge() WASM
API — writes past the end of the arrays, corrupting WASM linear memory.
It also set number_vertices = max unconditionally, which would later
drive build_csr to allocate and iterate out of bounds.

Add a guard at the top of insert_edge (before the number_vertices update)
rejecting any source/destination outside [1, MAXV], mirroring the Issue #9
fix in kruskal's insertadjver. Forwarding from insertEdge() in main.c is
covered since it calls straight through to insert_edge.

Adds two Unity regression tests (oversized and non-positive vertex ids);
both fail red without the guard and pass green with it.

Closes #34

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@bushidocodes bushidocodes merged commit f80cb29 into master Jun 13, 2026
2 checks passed
@bushidocodes bushidocodes deleted the fix/issue-34-insert-edge-bounds branch June 13, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

insert_edge writes out-of-bounds when vertex index exceeds MAXV

1 participant