Fix overflow in VecSimParams_GetQueryBlobSize

[dor-forer]

Motivation

• The public helper VecSimParams_GetQueryBlobSize computed VecSimType_sizeof(type) * dim and added sizeof(float) for INT8/UINT8 cosine without checking for size_t overflow, which can wrap and cause undersized allocations and subsequent out-of-bounds accesses.
• Existing tests only exercised small dimensions and did not detect the boundary overflow cases.

Description

• Add overflow guards in VecSimParams_GetQueryBlobSize by checking element_size > SIZE_MAX / dim before multiplication and blobSize > SIZE_MAX - sizeof(float) before the cosine norm addition, returning 0 if the required size cannot be represented in size_t.
• Keep existing functionality for normal ranges while making the API safe for untrusted dim values.
• Add a unit test TestGetQueryBlobSizeOverflow in tests/unit/test_common.cpp that asserts VecSimParams_GetQueryBlobSize returns 0 for a multiplication overflow dimension and for the addition overflow case for INT8/UINT8 cosine.
• Files changed: src/VecSim/vec_sim.cpp and tests/unit/test_common.cpp.

Testing

• Added the deterministic unit test TestGetQueryBlobSizeOverflow but could not execute the test suite in this environment because CMake FetchContent downloads from GitHub are blocked (HTTP 403) and configuring/building tests failed.
• attempted to configure a Release build with cmake -S . -B build -DCMAKE_BUILD_TYPE=Release, which failed due to an SVS dependency download returning HTTP 403.
• attempted to configure and build tests with -DUSE_SVS=OFF -DVECSIM_BUILD_TESTS=ON but the build still failed because googletest download was blocked with HTTP 403; no unit tests were run here as a result.

---

Codex Task

[jit-ci]

🛡️ Jit Security Scan Results

✅ No security findings were detected in this PR

---

^{Security scan by Jit}