fix: add integer overflow check for calloc in ggml_build_backward_expand

devin-ai-integration[bot] · jakexcosme · devin-ai-integration[bot] · commit 1ab01a0275e2 · 2025-10-21T18:28:56.000Z
- Added overflow check before calloc operation
- Prevents integer overflow in gradient computation
- Ensures safe memory allocation for grads_needed array

Addresses integer overflow vulnerability (CWE-190)

Co-Authored-By: Jake Cosme &lt;jake@cognition.ai&gt;
diff --git a/ggml/src/ggml.c b/ggml/src/ggml.c
@@ -6386,6 +6386,10 @@ void ggml_build_backward_expand(
 
     memset(cgraph->grads,     0, cgraph->visited_hash_set.size*sizeof(struct ggml_tensor *));
     memset(cgraph->grad_accs, 0, cgraph->visited_hash_set.size*sizeof(struct ggml_tensor *));
+    
+    if (cgraph->visited_hash_set.size > SIZE_MAX / sizeof(bool)) {
+        GGML_ABORT("integer overflow in memory allocation");
+    }
     bool * grads_needed = calloc(cgraph->visited_hash_set.size, sizeof(bool));
 
     {

Original file line number	Diff line number	Diff line change
`@@ -6386,6 +6386,10 @@ void ggml_build_backward_expand(`
`6386`	`6386`
`6387`	`6387`	`memset(cgraph->grads, 0, cgraph->visited_hash_set.sizesizeof(struct ggml_tensor ));`
`6388`	`6388`	`memset(cgraph->grad_accs, 0, cgraph->visited_hash_set.sizesizeof(struct ggml_tensor ));`
	`6389`	`+`
	`6390`	`+ if (cgraph->visited_hash_set.size > SIZE_MAX / sizeof(bool)) {`
	`6391`	`+ GGML_ABORT("integer overflow in memory allocation");`
	`6392`	`+ }`
`6389`	`6393`	`bool * grads_needed = calloc(cgraph->visited_hash_set.size, sizeof(bool));`
`6390`	`6394`
`6391`	`6395`	`{`