fix(payload): reject zero-byte arbitrary input for Block

[goxberry]

What does this PR do?

Fixes a latent panic in lading_payload::block::Block::arbitrary (#[cfg(feature = "arbitrary")]). The previous implementation panicked when the fuzzer produced a zero for u32::arbitrary; the fix rejects that case via arbitrary::Error::IncorrectFormat so the fuzzer skips the input and tries another.

A regression test pins the new behavior.

The bug

#[cfg(feature = "arbitrary")]
impl<'a> arbitrary::Arbitrary<'a> for Block {
    fn arbitrary(u: &mut arbitrary::Unstructured<'a>) -> arbitrary::Result<Self> {
        let total_bytes = u32::arbitrary(u)?;
        let bytes = u.bytes(total_bytes as usize).map(Bytes::copy_from_slice)?;
        Ok(Self {
            total_bytes: NonZeroU32::new(total_bytes).expect("total_bytes must be non-zero"),
            bytes,
            metadata: BlockMetadata::default(),
        })
    }
}

u32::arbitrary is permitted by contract to return any u32, including 0. When that happens, NonZeroU32::new(0) is None, and .expect(...) panics. Reachable from lading_fuzz, which enables the arbitrary feature.

The fix

let total_bytes =
    NonZeroU32::new(u32::arbitrary(u)?).ok_or(arbitrary::Error::IncorrectFormat)?;
let bytes = u
    .bytes(total_bytes.get() as usize)
    .map(Bytes::copy_from_slice)?;
Ok(Self { total_bytes, bytes, metadata: BlockMetadata::default() })

Three changes:

1. NonZeroU32::new(...).expect(...) → .ok_or(arbitrary::Error::IncorrectFormat)?. This is the documented way to tell the arbitrary crate "skip this input, it's malformed."
2. The bytes allocation moves below the rejection check, so a rejected input no longer allocates first.
3. total_bytes.get() is used for the u.bytes(...) call, since total_bytes is now NonZeroU32.

Regression test

arbitrary_rejects_zero_total_bytes lives in a new #[cfg(all(test, feature = "arbitrary"))] submodule of block.rs. It constructs Unstructured::new(&[0u8; 16]) — guaranteeing u32::arbitrary reads four zero bytes — and asserts the result is Err(arbitrary::Error::IncorrectFormat). The test was written against the old code first; there, it panicked exactly at the .expect(), confirming the bug.

Motivation

Last targeted PR in the panic-cleanup phase of the stack started by #1882. After this lands, the only remaining work in lading_payload is the Cat-2 sites (~33 .expect() sites that need function-signature changes to thread Result through) and the final quarantine drop. Those will be the next sub-stack.

Related issues

Stacked on #1891.

Additional Notes

• cargo build --all-targets --all-features ✓
• cargo clippy --all-targets --all-features ✓
• cargo test -p lading-payload --features arbitrary --lib ✓ (245 passed including the new regression test)
• Diff: 2 files, +37 −3.

[goxberry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(lading): surface tooling/FUSE-mount panics as errors #1904
• fix(lading): surface remote-input parsing failures as errors #1903
• fix(lading): surface user-config parsing failures as Error variants #1902
• refactor(lading): drop expect_used quarantines and annotate bins #1901
• refactor(lading): annotate intentional-panic observer/target sites #1900
• refactor(lading): annotate intentional-panic network generators #1899
• refactor(lading): annotate intentional-panic file_gen sites #1898
• refactor(lading): annotate intentional-panic blackhole + small generator sites #1897
• refactor(lading): convert structural-infallible .expect() to unreachable!() #1896
• refactor(capture): retire .expect() sites and drop quarantines #1894
• refactor(payload): retire remaining .expect() sites and drop quarantine #1893
• fix(payload): reject zero-byte arbitrary input for Block #1892 👈 (View in Graphite)
• refactor(payload): annotate intentional-panic .expect() sites #1891
• refactor(payload): mark in-function invariants as unreachable!() #1890
• refactor(payload): mark fallible-context infallibles as unreachable!() #1885
• refactor(payload): mark infallible .expect() sites as unreachable!() #1884
• chore(clippy): drop expect_used quarantine for lading_throttle #1883
• chore(clippy): forbid .expect() in production code #1882
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.