Skip to content

Harden GGUF parsing: bound file-controlled lengths/offsets/dimensions#28

Open
professor-moody wants to merge 1 commit into
antirez:mainfrom
professor-moody:harden-gguf-parse-bounds
Open

Harden GGUF parsing: bound file-controlled lengths/offsets/dimensions#28
professor-moody wants to merge 1 commit into
antirez:mainfrom
professor-moody:harden-gguf-parse-bounds

Conversation

@professor-moody

Copy link
Copy Markdown

Summary

Crafted .gguf files can crash gguflib's parse path: out-of-bounds reads (SIGSEGV), an out-of-bounds write (a tensor declaring n_dims > 8), and a divide-by-zero (general.alignment = 0). The shared root cause is that file-controlled length/offset/dimension fields are used to index and advance into the mmap'd buffer with no validation against ctx->size. This PR adds uniform bounds checks so malformed files are rejected instead of crashing.

Addresses #25 and #27.

Changes (gguflib.c)

Testing

No RCE is claimed — these are memory-safety crashes (DoS / OOB) on attacker-supplied files.

Crafted .gguf files could trigger OOB reads (SIGSEGV), an OOB write (n_dims>8), and a
divide-by-zero (general.alignment=0): file-controlled length/offset/dim fields were used to
index/advance into the mmap without validating against ctx->size. Add uniform bounds checks in
gguf_get_key, gguf_set_data_offset, and gguf_get_tensor; guard the alignment divisor; replace the
NDEBUG-compiled-out ndim assert with a real check; overflow-check num_weights. Addresses antirez#25, antirez#27.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant