Integer overflow in PlatformMemoryAllocator::allocate() by lucylq · Pull Request #18680 · pytorch/executorch

lucylq · 2026-04-02T21:17:56Z

Add overflow checking before computing the total allocation size (sizeof(AllocationNode) + size + alignment) in PlatformMemoryAllocator::allocate().

Previously, when this sum exceeded SIZE_MAX, it would wrap around to a small value, causing pal_allocate to allocate an undersized buffer. This could lead to subsequent out-of-bounds writes. The fix validates each addition step against SIZE_MAX and returns nullptr on overflow.

This PR was authored with the assistance of Claude.

Test plan

cmake -B build -DEXECUTORCH_BUILD_TESTS=ON
cmake --build build --target memory_allocator_test
ctest --test-dir build -R memory_allocator_test --output-on-failure

pytorch-bot · 2026-04-02T21:18:01Z

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18680

📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

⏳ No Failures, 124 Pending

As of commit 55e646a with merge base 3d2c853 ():
💚 Looks good so far! There are no failures yet. 💚

This comment was automatically generated by Dr. CI and updates every 15 minutes.

github-actions · 2026-04-02T21:18:41Z

This PR needs a `release notes:` label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

Copilot

Pull request overview

This PR fixes a potential integer overflow in PlatformMemoryAllocator::allocate() by validating size additions before calculating the total allocation size, preventing undersized allocations that could lead to out-of-bounds writes.

Changes:

Add overflow-checked computation for alloc_size using c10::add_overflows.
Log and return nullptr when an overflow is detected during allocation size calculation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-02T21:37:50Z

runtime/executor/platform_memory_allocator.h

 #include <cinttypes>
 #include <cstdint>

+#include <c10/util/safe_numerics.h>


<c10/util/safe_numerics.h> is already included by executorch/runtime/core/memory_allocator.h, so this direct include is redundant here. Consider removing it to keep header dependencies minimal and reduce rebuild churn.

Suggested change

#include <c10/util/safe_numerics.h>

runtime/executor/platform_memory_allocator.h

…UTORCH-26) Add overflow checking before computing the total allocation size (sizeof(AllocationNode) + size + alignment) in PlatformMemoryAllocator::allocate(). Previously, when this sum exceeded SIZE_MAX, it would wrap around to a small value, causing pal_allocate to allocate an undersized buffer. This could lead to subsequent out-of-bounds writes. The fix validates each addition step against SIZE_MAX and returns nullptr on overflow. This PR was authored with the assistance of Claude.

meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 2, 2026

lucylq changed the title ~~Fix integer overflow in PlatformMemoryAllocator::allocate() (TOB-EXEC…~~ Integer overflow in PlatformMemoryAllocator::allocate() Apr 2, 2026

lucylq force-pushed the security26 branch from 7ef0441 to 0f1f47a Compare April 2, 2026 21:26

lucylq added the security-fix label Apr 2, 2026

lucylq marked this pull request as ready for review April 2, 2026 21:34

lucylq requested a review from JacobSzwejbka as a code owner April 2, 2026 21:34

Copilot AI review requested due to automatic review settings April 2, 2026 21:34

Copilot started reviewing on behalf of lucylq April 2, 2026 21:35 View session

Copilot AI reviewed Apr 2, 2026

View reviewed changes

lucylq force-pushed the security26 branch from 0f1f47a to 55e646a Compare April 6, 2026 18:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Integer overflow in PlatformMemoryAllocator::allocate()#18680

Integer overflow in PlatformMemoryAllocator::allocate()#18680
lucylq wants to merge 1 commit intomainfrom
security26

lucylq commented Apr 2, 2026 •

edited

Loading

Uh oh!

pytorch-bot bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 2, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Apr 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

lucylq commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test plan

Uh oh!

pytorch-bot bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18680

⏳ No Failures, 124 Pending

Uh oh!

github-actions bot commented Apr 2, 2026

This PR needs a release notes: label

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

lucylq commented Apr 2, 2026 •

edited

Loading

pytorch-bot bot commented Apr 2, 2026 •

edited

Loading

This PR needs a `release notes:` label