Skip to content

Fix integer overflow in program.cpp bounds checks #18662

Open
lucylq wants to merge 1 commit intomainfrom
security17-24
Open

Fix integer overflow in program.cpp bounds checks #18662
lucylq wants to merge 1 commit intomainfrom
security17-24

Conversation

@lucylq
Copy link
Copy Markdown
Contributor

@lucylq lucylq commented Apr 2, 2026

17: In get_constant_buffer_data(), the bounds check offset + nbytes <= size can overflow when offset and nbytes are large. Replace with the overflow-safe pattern
offset <= size && nbytes <= size - offset.

24: In Program::load(), the computation segment_base_offset + segment_data_size for the expected file size can overflow. Add an explicit overflow check before the addition to ensure the sum does not exceed SIZE_MAX.

This PR was authored with the assistance of Claude.

Fix integer overflow in program.cpp bounds checks (TOB-EXECUTORCH-17,…
033e1d8 
… TOB-EXECUTORCH-24)

TOB-EXECUTORCH-17: In get_constant_buffer_data(), the bounds check
`offset + nbytes <= size` can overflow when offset and nbytes are
large. Replace with the overflow-safe pattern
`offset <= size && nbytes <= size - offset`.

TOB-EXECUTORCH-24: In Program::load(), the computation
`segment_base_offset + segment_data_size` for the expected file size
can overflow. Add an explicit overflow check before the addition to
ensure the sum does not exceed SIZE_MAX.

This PR was authored with the assistance of Claude.
@pytorch-bot
Copy link
Copy Markdown

pytorch-bot bot commented Apr 2, 2026
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18662

Note: Links to docs will display an error until the docs builds have been completed.

✅ You can merge normally! (2 Unrelated Failures)

As of commit 033e1d8 with merge base ee92757 (image):

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 2, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

lucylq
lucylq commented Apr 2, 2026
View reviewed changes
runtime/executor/program.cpp
segment_data_size);
size_t expected = segment_base_offset == 0
? program_size
: segment_base_offset + segment_data_size;
Copy link
Copy Markdown
Contributor Author

@lucylq lucylq Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make sure this calculation doesn't overflow

@lucylq lucylq changed the title Fix integer overflow in program.cpp bounds checks (TOB-EXECUTORCH-17,… Fix integer overflow in program.cpp bounds checks Apr 2, 2026
@lucylq lucylq marked this pull request as ready for review April 2, 2026 00:27
@lucylq lucylq requested a review from JacobSzwejbka as a code owner April 2, 2026 00:27
Copilot AI review requested due to automatic review settings April 2, 2026 00:27
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens program parsing in the runtime executor by making two size/bounds checks overflow-safe, preventing incorrect validation and potential out-of-bounds access when offsets/sizes are large.

Changes:

  • Add an explicit overflow check before computing segment_base_offset + segment_data_size when validating the expected file size from the extended header.
  • Replace the potentially overflowing bounds check offset + nbytes <= size with the overflow-safe pattern offset <= size && nbytes <= size - offset for constant segment accesses.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JacobSzwejbka JacobSzwejbka Awaiting requested review from JacobSzwejbka JacobSzwejbka is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. security-fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lucylq