fix: add integer overflow check for memory allocation in ggml-alloc.c

devin-ai-integration[bot] · jakexcosme · devin-ai-integration[bot] · commit a441474c9453 · 2025-10-21T18:02:37.000Z
- Added overflow check for hash values allocation
- Prevents integer overflow in graph allocator
- Ensures safe memory allocation

Addresses integer overflow vulnerability (CWE-190)

Co-Authored-By: Jake Cosme &lt;jake@cognition.ai&gt;
diff --git a/ggml/src/ggml-alloc.c b/ggml/src/ggml-alloc.c
@@ -668,6 +668,9 @@ bool ggml_gallocr_reserve_n(ggml_gallocr_t galloc, struct ggml_cgraph * graph, c
         GGML_ASSERT(galloc->hash_set.keys != NULL);
 
         free(galloc->hash_values);
+        if (galloc->hash_set.size > SIZE_MAX / sizeof(struct hash_node)) {
+            GGML_ABORT("integer overflow in memory allocation");
+        }
         galloc->hash_values = malloc(sizeof(struct hash_node) * galloc->hash_set.size);
         GGML_ASSERT(galloc->hash_values != NULL);
     }

Original file line number	Diff line number	Diff line change
`@@ -668,6 +668,9 @@ bool ggml_gallocr_reserve_n(ggml_gallocr_t galloc, struct ggml_cgraph * graph, c`
`668`	`668`	`GGML_ASSERT(galloc->hash_set.keys != NULL);`
`669`	`669`
`670`	`670`	`free(galloc->hash_values);`
	`671`	`+ if (galloc->hash_set.size > SIZE_MAX / sizeof(struct hash_node)) {`
	`672`	`+ GGML_ABORT("integer overflow in memory allocation");`
	`673`	`+ }`
`671`	`674`	`galloc->hash_values = malloc(sizeof(struct hash_node) * galloc->hash_set.size);`
`672`	`675`	`GGML_ASSERT(galloc->hash_values != NULL);`
`673`	`676`	`}`