fix: consolidated numeric overflow/underflow prevention with saturating operations

echobt · echobt · commit a651ebff361e · 2026-02-04T15:41:46.000Z
This PR consolidates the following numeric safety fixes: - #39: Use saturating casts in git_info to prevent overflow - #40: Use saturating casts for token counts in streaming - #41: Use saturating subtraction to prevent underflow in compaction All changes use saturating arithmetic operations: - Replaced direct casts with saturating_sub and try_into - Prevents panic on numeric overflow/underflow conditions
diff --git a/src/cortex-compact/src/compactor.rs b/src/cortex-compact/src/compactor.rs
@@ -106,7 +106,10 @@ impl Compactor {
         }];
         new_items.extend(items.into_iter().skip(preserved_start));
 
-        let tokens_after = current_tokens - tokens_in_compacted + summary_tokens;
+        // Use saturating arithmetic to prevent underflow if tokens_in_compacted > current_tokens
+        let tokens_after = current_tokens
+            .saturating_sub(tokens_in_compacted)
+            .saturating_add(summary_tokens);
 
         let result =
             CompactionResult::success(summary, current_tokens, tokens_after, items_removed);
diff --git a/src/cortex-engine/src/git_info.rs b/src/cortex-engine/src/git_info.rs
@@ -67,9 +67,17 @@ impl GitInfo {
         let status = git_command(&root, &["status", "--porcelain"]).unwrap_or_default();
         let is_dirty = !status.is_empty();
 
-        // Count changes
-        let changes = status.lines().filter(|l| !l.starts_with("??")).count() as u32;
-        let untracked = status.lines().filter(|l| l.starts_with("??")).count() as u32;
+        // Count changes (saturating to u32::MAX to prevent truncation)
+        let changes = status
+            .lines()
+            .filter(|l| !l.starts_with("??"))
+            .count()
+            .min(u32::MAX as usize) as u32;
+        let untracked = status
+            .lines()
+            .filter(|l| l.starts_with("??"))
+            .count()
+            .min(u32::MAX as usize) as u32;
 
         // Get tags
         let tags = git_command(&root, &["tag", "--points-at", "HEAD"])
@@ -385,7 +393,7 @@ impl GitStash {
                 let message = parts.get(2).unwrap_or(&"").to_string();
 
                 stashes.push(GitStash {
-                    index: i as u32,
+                    index: i.min(u32::MAX as usize) as u32,
                     message,
                     branch,
                 });
diff --git a/src/cortex-engine/src/streaming.rs b/src/cortex-engine/src/streaming.rs
@@ -26,12 +26,25 @@ pub struct StreamTokenUsage {
     pub total_tokens: u32,
 }
 
+/// Safely convert an i64 token count to u32 with saturation.
+/// Negative values clamp to 0, values > u32::MAX clamp to u32::MAX.
+#[inline]
+fn saturating_i64_to_u32(value: i64) -> u32 {
+    if value <= 0 {
+        0
+    } else if value > u32::MAX as i64 {
+        u32::MAX
+    } else {
+        value as u32
+    }
+}
+
 impl From<crate::client::TokenUsage> for StreamTokenUsage {
     fn from(usage: crate::client::TokenUsage) -> Self {
         Self {
-            prompt_tokens: usage.input_tokens as u32,
-            completion_tokens: usage.output_tokens as u32,
-            total_tokens: usage.total_tokens as u32,
+            prompt_tokens: saturating_i64_to_u32(usage.input_tokens),
+            completion_tokens: saturating_i64_to_u32(usage.output_tokens),
+            total_tokens: saturating_i64_to_u32(usage.total_tokens),
         }
     }
 }
