Skip to content

Commit d9b991e

Browse files
authored
Fix model load heap overflow (#2068)
1 parent f026542 commit d9b991e

2 files changed

Lines changed: 6 additions & 1 deletion

File tree

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
### Fixes and improvements
66

7+
* Fix memory-safety issues in the model loader (#2068) by [@jordimas](https://github.com/jordimas), reported by Chegne Eu Joe (Project Umbra)
78
* Upgrade Thrust submodule from 1.12.0 to CCCL 2.7.0 (#2062) by [@jordimas](https://github.com/jordimas)
89

910
## [v4.8.0](https://github.com/OpenNMT/CTranslate2/releases/tag/v4.8.0) (2026-06-06)

src/models/model.cc

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,8 +80,10 @@ namespace ctranslate2 {
8080
template<>
8181
std::string consume(std::istream& in) {
8282
const auto str_length = consume<uint16_t>(in);
83+
if (str_length == 0)
84+
throw std::runtime_error("Invalid string length in " + binary_file);
8385
const auto c_str = consume<char>(in, str_length);
84-
std::string str(c_str);
86+
std::string str(c_str, str_length - 1);
8587
delete [] c_str;
8688
return str;
8789
}
@@ -654,6 +656,8 @@ namespace ctranslate2 {
654656
}
655657

656658
StorageView variable(std::move(shape), dtype);
659+
if (num_bytes != variable.size() * variable.item_size())
660+
throw std::runtime_error("Variable '" + name + "' has an invalid payload size");
657661
consume<char>(model_file, num_bytes, static_cast<char*>(variable.buffer()));
658662
if (tensor_parallel) {
659663
int outer_dim = 0;

0 commit comments

Comments
 (0)