Add bounds checking for output tensor buffer in wasi-nn llama.cpp

sumleo · sumleo · commit acd36fc0abb2 · 2026-02-25T23:06:22.000+08:00
The get_output function copies LLM output into output_tensor-&gt;buf
without checking against output_tensor-&gt;size, allowing writes
past the buffer when the model generates output longer than the
caller-provided buffer. Add size checks for both the metadata
path and the token output loop.
diff --git a/core/iwasm/libraries/wasi-nn/src/wasi_nn_llamacpp.c b/core/iwasm/libraries/wasi-nn/src/wasi_nn_llamacpp.c
@@ -623,8 +623,11 @@ get_output(void *ctx, graph_execution_context exec_ctx, uint32_t index,
             printf("%s\n", output_metadata);
         }
 
-        memcpy(output_tensor->buf, output_metadata, strlen(output_metadata));
-        *output_tensor_size = strlen(output_metadata);
+        size_t metadata_len = strlen(output_metadata);
+        if (metadata_len > output_tensor->size)
+            metadata_len = output_tensor->size;
+        memcpy(output_tensor->buf, output_metadata, metadata_len);
+        *output_tensor_size = metadata_len;
         return success;
     }
 
@@ -643,8 +646,11 @@ get_output(void *ctx, graph_execution_context exec_ctx, uint32_t index,
             printf("%s", buf);
         }
 
-        memcpy(output_tensor->buf + end_pos, buf, strlen(buf));
-        end_pos += strlen(buf);
+        size_t piece_len = strlen(buf);
+        if (end_pos + piece_len > output_tensor->size)
+            break;
+        memcpy(output_tensor->buf + end_pos, buf, piece_len);
+        end_pos += piece_len;
     }
 
     if (backend_ctx->config.stream_stdout) {

Original file line number	Diff line number	Diff line change
`@@ -623,8 +623,11 @@ get_output(void *ctx, graph_execution_context exec_ctx, uint32_t index,`
`623`	`623`	`printf("%s\n", output_metadata);`
`624`	`624`	`}`
`625`	`625`
`626`		`- memcpy(output_tensor->buf, output_metadata, strlen(output_metadata));`
`627`		`- *output_tensor_size = strlen(output_metadata);`
	`626`	`+ size_t metadata_len = strlen(output_metadata);`
	`627`	`+ if (metadata_len > output_tensor->size)`
	`628`	`+ metadata_len = output_tensor->size;`
	`629`	`+ memcpy(output_tensor->buf, output_metadata, metadata_len);`
	`630`	`+ *output_tensor_size = metadata_len;`
`628`	`631`	`return success;`
`629`	`632`	`}`
`630`	`633`
`@@ -643,8 +646,11 @@ get_output(void *ctx, graph_execution_context exec_ctx, uint32_t index,`
`643`	`646`	`printf("%s", buf);`
`644`	`647`	`}`
`645`	`648`
`646`		`- memcpy(output_tensor->buf + end_pos, buf, strlen(buf));`
`647`		`- end_pos += strlen(buf);`
	`649`	`+ size_t piece_len = strlen(buf);`
	`650`	`+ if (end_pos + piece_len > output_tensor->size)`
	`651`	`+ break;`
	`652`	`+ memcpy(output_tensor->buf + end_pos, buf, piece_len);`
	`653`	`+ end_pos += piece_len;`
`648`	`654`	`}`
`649`	`655`
`650`	`656`	`if (backend_ctx->config.stream_stdout) {`