From 7b5b1b5de605b5e7cb3de5bfb5aac6391840273f Mon Sep 17 00:00:00 2001 From: Github Executorch Date: Wed, 8 Apr 2026 17:14:21 -0700 Subject: [PATCH] Fix TOB-EXECUTORCH-35, -37: validate XNNPACK flatbuffer graph and num_externs Add null checks for flatbuffer_graph, xvalues(), and xnodes() after deserialization to prevent NULL pointer dereferences on malformed input. Validate num_externs does not exceed total number of values to prevent unbounded memory allocation in xnn_create_subgraph. Authored-with: Claude --- backends/xnnpack/runtime/XNNCompiler.cpp | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/backends/xnnpack/runtime/XNNCompiler.cpp b/backends/xnnpack/runtime/XNNCompiler.cpp index 4881844ac6d..ba7a2b93020 100644 --- a/backends/xnnpack/runtime/XNNCompiler.cpp +++ b/backends/xnnpack/runtime/XNNCompiler.cpp @@ -1844,6 +1844,12 @@ ET_NODISCARD Error XNNCompiler::compileModel( flatbuffers::GetBufferIdentifier(flatbuffer_data)); auto flatbuffer_graph = fb_xnnpack::GetXNNGraph(flatbuffer_data); + ET_CHECK_OR_RETURN_ERROR( + flatbuffer_graph != nullptr && flatbuffer_graph->xvalues() != nullptr && + flatbuffer_graph->xnodes() != nullptr, + InvalidProgram, + "Failed to deserialize XNNPACK flatbuffer graph; null graph, xvalues, or xnodes."); + // initialize xnnpack xnn_status status = xnn_initialize(/*allocator =*/nullptr); ET_CHECK_OR_RETURN_ERROR( @@ -1853,9 +1859,18 @@ ET_NODISCARD Error XNNCompiler::compileModel( xnn_status_to_string(status)); // create xnnpack subgraph + uint32_t num_externs = flatbuffer_graph->num_externs(); + uint32_t num_values = flatbuffer_graph->xvalues()->size(); + ET_CHECK_OR_RETURN_ERROR( + num_externs <= num_values, + InvalidProgram, + "num_externs (%u) exceeds total number of values (%u)", + num_externs, + num_values); + xnn_subgraph_t subgraph_ptr = nullptr; status = xnn_create_subgraph( - /*external_value_ids=*/flatbuffer_graph->num_externs(), + /*external_value_ids=*/num_externs, /*flags=*/0, &subgraph_ptr); ET_CHECK_OR_RETURN_ERROR(