[BUG] limit parameter cause index out of bounds #513
Description
Describe the bug
When using the ft.search command, if the LIMIT parameter is included and the offset exceeds the number of search results, it will cause a server crash due to an array index out of bounds.
To Reproduce
127.0.0.1:6379> FT.CREATE idx SCHEMA description VECTOR HNSW 6 TYPE FLOAT32 DIM 3 DISTANCE_METRIC L2
OK
127.0.0.1:6379> HSET p1 description "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80?"
(integer) 1
127.0.0.1:6379> HSET p2 description "\x00\x00\x00\x00\x00\x00\x80?\x00\x00\x00\x00"
(integer) 1
127.0.0.1:6379> HSET p3 description "\x00\x00\x80?\x00\x00\x00\x00\x00\x00\x00\x00"
(integer) 1
127.0.0.1:6379> FT.SEARCH idx "*=>[KNN 5 @description $query_vector]" PARAMS 2 query_vector "\xcd\xccL?\x00\x00\x00\x00\x00\x00\x00\x00" DIALECT 2 LIMIT 1 10
Expected behavior
127.0.0.1:6379> FT.SEARCH idx "*=>[KNN 5 @description $query_vector]" PARAMS 2 query_vector "\xcd\xccL?\x00\x00\x00\x00\x00\x00\x00\x00" DIALECT 2 LIMIT 1 10
- (integer) 3
- "p1"
-
- "__description_score"
- "1.6400001049"
- "description"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80?"
- "p2"
-
- "__description_score"
- "1.6400001049"
- "description"
- "\x00\x00\x00\x00\x00\x00\x80?\x00\x00\x00\x00"
127.0.0.1:6379>
Actual behavior:
server crash
Environment
valkey8,valkey-search:main
Additional information to reproduce the failure
.2533893:signal-handler (1764850740) Crashed running signal handler. Providing reduced version of recursive crash report.
2533893:M 04 Dec 2025 20:19:00.128 # valkey 255.255.255 crashed by signal: 11, si_code: 1
2533893:M 04 Dec 2025 20:19:00.128 # Accessing address: 0x800000
2533893:M 04 Dec 2025 20:19:00.128 # Crashed running the instruction at: 0x7ff30e732709
------ STACK TRACE ------
EIP:
/lib/x86_64-linux-gnu/libc.so.6(+0x16d709)[0x7ff30e732709]
Backtrace:
/lib/x86_64-linux-gnu/libc.so.6(+0x3c050)[0x7ff30e601050]
/lib/x86_64-linux-gnu/libc.so.6(+0x16d709)[0x7ff30e732709]
./src/valkey-server 127.0.0.1:6379(+0x245c74)[0x55cfb7c4cc74]
./src/valkey-server 127.0.0.1:6379(memtest_test_linux_anonymous_maps+0x201)[0x55cfb7b5bdd1]
./src/valkey-server 127.0.0.1:6379(printCrashReport+0x109)[0x55cfb7b5e459]
./src/valkey-server 127.0.0.1:6379(+0x15f1ed)[0x55cfb7b661ed]
/lib/x86_64-linux-gnu/libc.so.6(+0x3c050)[0x7ff30e601050]
/data00/home/zhangshuai.kv/chore/valkey-search/.build-release/libsearch.so(_ZN13valkey_search13SearchCommand9SendReplyEP15ValkeyModuleCtxRSt5dequeINS_7indexes8NeighborESaIS5_EE+0x243)[0x7ff30c549b03]
/data00/home/zhangshuai.kv/chore/valkey-search/.build-release/libsearch.so(_ZN13valkey_search5async5ReplyEP15ValkeyModuleCtxPP18ValkeyModuleStringi+0x112)[0x7ff30c54acaa]
./src/valkey-server 127.0.0.1:6379(moduleHandleBlockedClients+0x1c5)[0x55cfb7bdb005]
./src/valkey-server 127.0.0.1:6379(blockedBeforeSleep+0xa5)[0x55cfb7bba235]
./src/valkey-server 127.0.0.1:6379(beforeSleep+0xb3)[0x55cfb7ab02f3]
./src/valkey-server 127.0.0.1:6379(aeMain+0x2f)[0x55cfb7aa36cf]
./src/valkey-server 127.0.0.1:6379(main+0x5c3)[0x55cfb7a97983]
/lib/x86_64-linux-gnu/libc.so.6(+0x2724a)[0x7ff30e5ec24a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85)[0x7ff30e5ec305]
./src/valkey-server 127.0.0.1:6379(_start+0x21)[0x55cfb7a992f1]
------ STACK TRACE DONE ------
------ REGISTERS ------
2533893:M 04 Dec 2025 20:19:00.129 #
RAX:00007ffeb24679c0 RBX:000000000007e000
RCX:00007ff30e6bd33f RDX:000000000007e000
RDI:00007ffeb24679c0 RSI:0000000000800000
RBP:00007ffeb25679f0 RSP:00007ffeb2467998
R8 :0000000000000002 R9 :0000000000000000
R10:0000000000000076 R11:0000000000000246
R12:0000000000000001 R13:0000000000000000
R14:000000000007f000 R15:0000000000800000
RIP:00007ff30e732709 EFL:0000000000010206
CSGSFS:002b000000000033
2533893:M 04 Dec 2025 20:19:00.129 * hide-user-data-from-log is on, skip logging stack content to avoid spilling user data.
------ DUMPING CODE AROUND EIP ------
Symbol: (null) (base: (nil))
Module: /lib/x86_64-linux-gnu/libc.so.6 (base 0x7ff30e5c5000)
$ xxd -r -p /tmp/dump.hex /tmp/dump.bin
$ objdump --adjust-vma=(nil) -D -b binary -m i386:x86-64 /tmp/dump.bin
=== VALKEY BUG REPORT END. Make sure to include from START to END. ===
Please report the crash by opening an issue on github:
https://github.com/valkey-io/valkey/issues
If a module was involved, please open in the module's repo instead.
Suspect RAM error? Use valkey-server --test-memory to verify it.
Some other issues could be detected by valkey-server --check-system
[1] 2533893 segmentation fault (core dumped) ./src/valkey-server valkey.conf --loadmodule
Additional context
Add any other context about the problem here.