Skip to content

Commit 7b5b1b5

Browse files
author
Github Executorch
committed
Fix TOB-EXECUTORCH-35, -37: validate XNNPACK flatbuffer graph and num_externs
Add null checks for flatbuffer_graph, xvalues(), and xnodes() after deserialization to prevent NULL pointer dereferences on malformed input. Validate num_externs does not exceed total number of values to prevent unbounded memory allocation in xnn_create_subgraph. Authored-with: Claude
1 parent 21d9c64 commit 7b5b1b5

1 file changed

Lines changed: 16 additions & 1 deletion

File tree

backends/xnnpack/runtime/XNNCompiler.cpp

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1844,6 +1844,12 @@ ET_NODISCARD Error XNNCompiler::compileModel(
18441844
flatbuffers::GetBufferIdentifier(flatbuffer_data));
18451845

18461846
auto flatbuffer_graph = fb_xnnpack::GetXNNGraph(flatbuffer_data);
1847+
ET_CHECK_OR_RETURN_ERROR(
1848+
flatbuffer_graph != nullptr && flatbuffer_graph->xvalues() != nullptr &&
1849+
flatbuffer_graph->xnodes() != nullptr,
1850+
InvalidProgram,
1851+
"Failed to deserialize XNNPACK flatbuffer graph; null graph, xvalues, or xnodes.");
1852+
18471853
// initialize xnnpack
18481854
xnn_status status = xnn_initialize(/*allocator =*/nullptr);
18491855
ET_CHECK_OR_RETURN_ERROR(
@@ -1853,9 +1859,18 @@ ET_NODISCARD Error XNNCompiler::compileModel(
18531859
xnn_status_to_string(status));
18541860

18551861
// create xnnpack subgraph
1862+
uint32_t num_externs = flatbuffer_graph->num_externs();
1863+
uint32_t num_values = flatbuffer_graph->xvalues()->size();
1864+
ET_CHECK_OR_RETURN_ERROR(
1865+
num_externs <= num_values,
1866+
InvalidProgram,
1867+
"num_externs (%u) exceeds total number of values (%u)",
1868+
num_externs,
1869+
num_values);
1870+
18561871
xnn_subgraph_t subgraph_ptr = nullptr;
18571872
status = xnn_create_subgraph(
1858-
/*external_value_ids=*/flatbuffer_graph->num_externs(),
1873+
/*external_value_ids=*/num_externs,
18591874
/*flags=*/0,
18601875
&subgraph_ptr);
18611876
ET_CHECK_OR_RETURN_ERROR(

0 commit comments

Comments
 (0)