Do size checks when deserializing data from aggregation states and other sources

[Algunenano]

Changelog category (leave one):

• Critical Bug Fix (crash, data loss, RBAC) or LOGICAL_ERROR

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Do size checks when deserializing data from aggregation states and other sources

Closes #86882

I'll do a review before unmarking it as draft

Documentation entry for user-facing changes

• Documentation is written (mandatory for new features)

[clickhouse-gh]

Workflow [PR], commit [7b2820f]

Summary: ❌

job_name	test_name	status	info	comment
Stateless tests (arm_asan, targeted)		failure
	03358_block_structure_match	FAIL	cidb
Stress test (amd_debug)		failure
	Server died	FAIL	cidb
	Hung check failed, possible deadlock found (see hung_check.log)	FAIL	cidb
	Killed by signal (in clickhouse-server.log)	FAIL	cidb
	Fatal message in clickhouse-server.log (see fatal_messages.txt)	FAIL	cidb
	Killed by signal (output files)	FAIL	cidb
	Found signal in gdb.log	FAIL	cidb
Upgrade check (amd_msan)		failure
	Killed by signal (in clickhouse-server.log)	FAIL	cidb
	Fatal message in clickhouse-server.log (see fatal_messages.txt)	FAIL	cidb
	Killed by signal (output files)	FAIL	cidb
	Found signal in gdb.log	FAIL	cidb
BuzzHouse (amd_debug)		failure
	Logical error: 'Inconsistent AST formatting: the query:	FAIL	cidb
BuzzHouse (amd_ubsan)		failure
	/home/ubuntu/actions-runner/_work/ClickHouse/ClickHouse/src/IO/VarInt.h:32:5: runtime error: store to null pointer of type 'char'	FAIL	cidb
Performance Comparison (amd_release, master_head, 3/6)		failure
	Select historical data	failure

[Copilot]

Pull Request Overview

This PR addresses a critical security issue by implementing proper size checks when deserializing data from aggregation states and other untrusted sources. The changes prevent potential crashes and data corruption by validating buffer boundaries before reading serialized data.

Key Changes:

• Modified deserialization methods across all column types to use ReadBuffer instead of raw pointers for safer boundary checking
• Added size validation checks before reading serialized data to prevent buffer overruns
• Updated test cases to verify proper error handling for malformed data

Reviewed Changes

Copilot reviewed 56 out of 56 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/Columns/*.{h,cpp}	Refactored deserialization methods to use ReadBuffer API with proper bounds checking
src/Interpreters/AggregationMethod.cpp	Updated key deserialization to use ReadBuffer for size validation
src/Dictionaries/*.{h,cpp}	Modified dictionary deserialization to validate buffer sizes before reading
src/Functions/array/arrayIntersect.cpp	Added buffer size checks when deserializing array elements
src/AggregateFunctions/*.{h,cpp}	Updated aggregate function deserialization to use safer ReadBuffer-based approach
tests/queries/0_stateless/03716_topk_bad_data.*	Added test cases to verify proper error handling for malformed aggregation state data

[Algunenano]

This looks odd. It seems it was incorrect before (and consequently now too), since it should skip one byte.

[Algunenano]

Failures:

• 03711_deduplication_blocks_part_log -> Flaky test: 03711_deduplication_blocks_part_log #90063
• Bugfix validation: It's reporting incorrectly -> CI: Fix status inversion for bugfix validation in functional tests #90056
• BuzzHouse: Unrelated Inconsistent AST formatting: the query with EXCEPT -> Inconsistent AST formatting with EXCEPT #83768