fix: Avoid overflows when reading json inputs

[whoisj]

Check input from HTTP+JSON sizes before allocating memory for them.

Protect against integer overflows while we're at it.

[mudit-eng]

LGTM

[mattwittwer]

One edge case:
max_input_size_ is checked per-input rather than cumulatively, allowing up to a 4x memory limit bypass.
This PR checks byte_size > max_input_size_ to prevents excessive memory allocation. However, because this check is evaluated on individual inputs rather than the cumulative total of the entire HTTP request, a single request can still cause the server to allocate up to 4x the memory limit.

The scenario:
The upstream EVBufferToJson limits the physical size of the incoming HTTP JSON payload to max_input_size_.
However, the most compact JSON representation of an element is 0, (2 bytes), while an FP64 element allocates 8 bytes in memory.
With a limit set to --http-max-input-size=128000000 (128 MB), a single 128 MB JSON payload formatted like this can allocate 512MB:

{
  "parameters": {
    "in_1": {"datatype": "FP64", "data": [ ... 16 million zeros (32 MB JSON) ... ]},
    "in_2": {"datatype": "FP64", "data": [ ... 16 million zeros (32 MB JSON) ... ]},
    "in_3": {"datatype": "FP64", "data": [ ... 16 million zeros (32 MB JSON) ... ]},
    "in_4": {"datatype": "FP64", "data": [ ... 16 million zeros (32 MB JSON) ... ]}
  }
}

What happens:
The upstream check passes because the total HTTP payload is exactly 128 MB.
ExactMappingInput parses in_1. The calculated byte_size is 128 MB. The check if (byte_size > max_input_size_) passes. Triton allocates 128 MB. This repeats for in_2, in_3, and in_4. Resulting in the server allocating 512 MB of memory for a single request, bypassing the 128 MB max_input_size_ limit.

[yinggeh]

LGTM. Though I think it's a bit of over-engineering here.

[whoisj]

max_input_size_ is checked per-input rather than cumulatively, allowing up to a 4x memory limit bypass.

Agreed about exceeding the overall limit. I'll create a follow up to address that separately. Thanks for pointing it out.

[yinggeh]

PR title isn't following the convention.

[yinggeh]

I think test is required for such code change. Whether verify its functionality with existing ones or by creating a new test.

[whoisj]

I think test is required for such code change. Whether verify its functionality with existing ones or by creating a new test.

Added 2 new tests. Let me know if they look good to you.

[yinggeh]

Would like to see tests that passing with size 67108864 but failed with 67108864+1.

[whoisj]

changed the format.

[yinggeh]

I am confused with the naming here. Can you use a more descriptive name?

[whoisj]

do you have a suggestion?

[whoisj]

Converted to a draft after hitting another SEGFAULT bug. Will reopen once the tests are clean.

[mudit-eng]

&serialized[0] is undefined behavior if vector is empty. Safer to do something like:

char* serialized_base = serialized.data();

or

char* serialized_base = serialized.empty() ? nullptr : serialized.data();

[whoisj]

sure. I was just using the existing code, but I'll fix up regardless.

[mudit-eng]

HTTPAPIServer already has protected member:size_t max_input_size_;. Can this create confusion?

[whoisj]

I don't see how, they're both private fields.

[mudit-eng]

Not sure if this message is intuitive. This does not convey what is the maximum input size.

[whoisj]

the updated format was a request from @yinggeh. Can you two decide between you which you prefer?

[mudit-eng]

Can we use unordered_map here?

[whoisj]

no idea, but that would be changing existing code and I'd rather not because I feel that is outside the scope of this PR.

[mudit-eng]

this is not being called anywhere

[whoisj]

I'll remove.

[mudit-eng]

Can byte_size + consumed_input_byte_size result in an overflow?

[whoisj]

no because of the check immediately previous.

[mudit-eng]

Yes, you checked for overflow here: byte_size + consumed_input_byte_size < consumed_input_byte_size) but can't there be an overflow here: auto overrun = byte_size + consumed_input_byte_size - max_input_size_