Skip to content

Copybara import of the project:#10640

Merged
copybara-service[bot] merged 2 commits into
masterfrom
test_941627137
Jul 2, 2026
Merged

Copybara import of the project:#10640
copybara-service[bot] merged 2 commits into
masterfrom
test_941627137

Conversation

@copybara-service

Copy link
Copy Markdown
Contributor

Copybara import of the project:

--
cc87074 by evilgensec evil.gen.sec@gmail.com:

x32-unpool: bound the index map before dereferencing the output pointers

The x32 unpooling microkernels copy each channel to output[index[c]],
where index is the caller-supplied index map and output is the per-pixel
indirection slice holding exactly kernel_elements pointers. The index
value was used to select an output pointer with no check that it is less
than kernel_elements, so an out-of-range index reads a pointer past the
indirection buffer and then writes the input element through that
out-of-bounds pointer (heap out-of-bounds read of the pointer table plus
a write through an attacker-influenced wild pointer).

Guard each index against the number of output pointers and drop values
that fall outside it, in all four variants (scalar, neon, sse2,
wasmsimd). Valid unpooling indices (produced by argmax pooling) are
always < kernel_elements, so well-formed input is unaffected; the output
is pre-initialized with the fill value, so a dropped index simply leaves
that location at fill.

FUTURE_COPYBARA_INTEGRATE_REVIEW=#10454 from evilgensec:fix/unpool-index-bounds cc87074

evilgensec and others added 2 commits June 11, 2026 13:02
The x32 unpooling microkernels copy each channel to output[index[c]],
where index is the caller-supplied index map and output is the per-pixel
indirection slice holding exactly kernel_elements pointers. The index
value was used to select an output pointer with no check that it is less
than kernel_elements, so an out-of-range index reads a pointer past the
indirection buffer and then writes the input element through that
out-of-bounds pointer (heap out-of-bounds read of the pointer table plus
a write through an attacker-influenced wild pointer).

Guard each index against the number of output pointers and drop values
that fall outside it, in all four variants (scalar, neon, sse2,
wasmsimd). Valid unpooling indices (produced by argmax pooling) are
always < kernel_elements, so well-formed input is unaffected; the output
is pre-initialized with the fill value, so a dropped index simply leaves
that location at fill.
@copybara-service copybara-service Bot merged commit d7d90f9 into master Jul 2, 2026
@copybara-service copybara-service Bot deleted the test_941627137 branch July 2, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants