Fix integer overflow in compute_numel() (TOB-EXECUTORCH-19)

Github Executorch · Github Executorch · commit a8ff3d78af62 · 2026-03-30T17:01:50.000-07:00
compute_numel() multiplies tensor dimensions without overflow protection.
The result is used for size calculations in make_tensor_ptr() and
clone_tensor_ptr(), so an overflow could lead to undersized allocations
and subsequent buffer overflows.

Add an ET_CHECK_MSG before each multiplication to verify that
numel * sizes[i] will not exceed SSIZE_MAX.

This PR was authored with the assistance of Claude.
diff --git a/runtime/core/portable_type/tensor_impl.cpp b/runtime/core/portable_type/tensor_impl.cpp
@@ -9,6 +9,7 @@
 #include <executorch/runtime/core/portable_type/tensor_impl.h>
 
 #include <algorithm>
+#include <climits>
 #include <cstdint>
 
 #include <c10/util/irange.h>
@@ -38,6 +39,12 @@ ssize_t compute_numel(const TensorImpl::SizesType* sizes, ssize_t dim) {
         "Size must be non-negative, got %zd at dimension %zd",
         static_cast<ssize_t>(sizes[i]),
         i);
+    ET_CHECK_MSG(
+        sizes[i] == 0 || numel <= SSIZE_MAX / sizes[i],
+        "Overflow computing numel: %zd * %zd would overflow ssize_t at dimension %zd",
+        numel,
+        static_cast<ssize_t>(sizes[i]),
+        i);
     numel *= sizes[i];
   }
   return numel;
