Use SafeInt for overflow-safe coefficients size validation

bmehta001 · Copilot · bmehta001 · commit 6191529458dc · 2026-04-04T01:45:40.000-05:00
Address review feedback: the multiplication of num_targets * num_features
could overflow with very large dimensions. Use SafeInt for checked
multiplication and also reject negative num_targets.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/onnxruntime/core/providers/cpu/ml/linearregressor.cc b/onnxruntime/core/providers/cpu/ml/linearregressor.cc
@@ -89,7 +89,9 @@ Status LinearRegressor::Compute(OpKernelContext* ctx) const {
 
   // Coefficients are treated as a [num_targets, num_features] matrix.
   // Validate size to prevent out-of-bounds reads in the GEMM backend.
-  if (coefficients_.size() != static_cast<size_t>(num_targets_) * static_cast<size_t>(num_features)) {
+  // Use SafeInt for overflow-safe multiplication.
+  if (num_targets_ < 0 ||
+      coefficients_.size() != SafeInt<size_t>(num_targets_) * static_cast<size_t>(num_features)) {
     return ORT_MAKE_STATUS(ONNXRUNTIME, INVALID_ARGUMENT,
                            "LinearRegressor: coefficients attribute size (", coefficients_.size(),
                            ") does not match targets (", num_targets_,
