From 3217833e45a3b9ec5028b4a3cc7c2f155c643e78 Mon Sep 17 00:00:00 2001 From: DevmateRemedimateMacaClaude Bot Date: Thu, 14 May 2026 09:46:02 -0700 Subject: [PATCH] Fix out_of_bounds_read in getConstantDataPtr (XNNCompiler.cpp) (T267371218) Reviewed By: psiddh Differential Revision: D104380965 --- backends/xnnpack/runtime/XNNCompiler.cpp | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/backends/xnnpack/runtime/XNNCompiler.cpp b/backends/xnnpack/runtime/XNNCompiler.cpp index 103bdeb6b82..9a307e95ea4 100644 --- a/backends/xnnpack/runtime/XNNCompiler.cpp +++ b/backends/xnnpack/runtime/XNNCompiler.cpp @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -179,6 +180,7 @@ Result getConstantDataPtr( uint32_t buffer_idx, GraphPtr flatbuffer_graph, const uint8_t* constant_data_ptr, + uint64_t constant_data_size, const NamedDataMap* named_data_map, std::vector& freeable_buffers, XNNWeightsCache* weights_cache) { @@ -219,10 +221,20 @@ Result getConstantDataPtr( "Null constant_data entry at buffer_idx %u", buffer_idx); uint64_t offset = constant_data_offset->offset(); + uint64_t entry_size = constant_data_offset->size(); bool has_named_key = flatbuffers::IsFieldPresent( constant_data_offset, fb_xnnpack::ConstantDataOffset::VT_NAMED_KEY); // If there is no tensor name if (!has_named_key) { + ET_CHECK_OR_RETURN_ERROR( + offset <= constant_data_size && + entry_size <= constant_data_size - offset, + InvalidProgram, + "ConstantDataOffset {offset=%" PRIu64 ", size=%" PRIu64 + "} out of bounds for constant_data region of size %" PRIu64, + offset, + entry_size, + constant_data_size); return constant_data_ptr + offset; } else { ET_CHECK_OR_RETURN_ERROR( @@ -265,6 +277,7 @@ Result getConstantDataPtr( const fb_xnnpack::XNNTensorValue* tensor_value, GraphPtr flatbuffer_graph, const uint8_t* constant_data_ptr, + uint64_t constant_data_size, const NamedDataMap* named_data_map, std::vector& freeable_buffers, XNNWeightsCache* weights_cache) { @@ -272,6 +285,7 @@ Result getConstantDataPtr( tensor_value->constant_buffer_idx(), flatbuffer_graph, constant_data_ptr, + constant_data_size, named_data_map, freeable_buffers, weights_cache); @@ -288,6 +302,7 @@ Error defineTensor( ValuePtr value, GraphPtr flatbuffer_graph, const uint8_t* constant_data_ptr, + uint64_t constant_data_size, std::vector& input_ids, std::vector& output_ids, CompileAllocator& allocator, @@ -345,6 +360,7 @@ Error defineTensor( tensor_value, flatbuffer_graph, constant_data_ptr, + constant_data_size, named_data_map, freeable_buffers, weights_cache); @@ -500,6 +516,7 @@ Error defineTensor( qparams->scale_buffer_idx(), flatbuffer_graph, constant_data_ptr, + constant_data_size, named_data_map, freeable_buffers, weights_cache); @@ -546,6 +563,7 @@ Error defineTensor( qparams->scale_buffer_idx(), flatbuffer_graph, constant_data_ptr, + constant_data_size, named_data_map, freeable_buffers, weights_cache); @@ -1980,6 +1998,7 @@ ET_NODISCARD Error XNNCompiler::compileModel( Result header = XNNHeader::Parse(buffer_pointer, num_bytes); const uint8_t* flatbuffer_data = nullptr; const uint8_t* constant_data = nullptr; + uint64_t constant_data_size = 0; size_t flatbuffer_size = 0; CompileAllocator compile_allocator; @@ -1990,6 +2009,7 @@ ET_NODISCARD Error XNNCompiler::compileModel( flatbuffer_size = header->flatbuffer_size; constant_data = reinterpret_cast(buffer_pointer) + header->constant_data_offset; + constant_data_size = header->constant_data_size; } else if (header.error() == Error::NotFound) { flatbuffer_data = reinterpret_cast(buffer_pointer); flatbuffer_size = num_bytes; @@ -2081,6 +2101,7 @@ ET_NODISCARD Error XNNCompiler::compileModel( value, flatbuffer_graph, constant_data, + constant_data_size, input_ids, output_ids, compile_allocator,