ggml : prevent integer overflow in tensor size calculation ggml-org#14595

Nexesenex · Nexesenex · commit 88059426696e · 2025-07-09T14:28:02.000+02:00
Author : Yuuoniy
diff --git a/ggml/src/gguf.cpp b/ggml/src/gguf.cpp
@@ -677,7 +677,14 @@ struct gguf_context * gguf_init_from_file_impl(FILE * file, struct gguf_init_par
                 gguf_free(ctx);
                 return nullptr;
             }
-            ctx->size += GGML_PAD(ggml_nbytes(&ti.t), ctx->alignment);
+            size_t padded_size = GGML_PAD(ggml_nbytes(&ti.t), ctx->alignment);
+            if (SIZE_MAX - ctx->size < padded_size) {
+                GGML_LOG_ERROR("%s: tensor '%s' size overflow, cannot accumulate size %zu + %zu\n",
+                    __func__, ti.t.name, ctx->size, padded_size);
+                gguf_free(ctx);
+                return nullptr;
+            }
+            ctx->size += padded_size;
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -677,7 +677,14 @@ struct gguf_context * gguf_init_from_file_impl(FILE * file, struct gguf_init_par`
`677`	`677`	`gguf_free(ctx);`
`678`	`678`	`return nullptr;`
`679`	`679`	`}`
`680`		`- ctx->size += GGML_PAD(ggml_nbytes(&ti.t), ctx->alignment);`
	`680`	`+ size_t padded_size = GGML_PAD(ggml_nbytes(&ti.t), ctx->alignment);`
	`681`	`+ if (SIZE_MAX - ctx->size < padded_size) {`
	`682`	`+ GGML_LOG_ERROR("%s: tensor '%s' size overflow, cannot accumulate size %zu + %zu\n",`
	`683`	`+ __func__, ti.t.name, ctx->size, padded_size);`
	`684`	`+ gguf_free(ctx);`
	`685`	`+ return nullptr;`
	`686`	`+ }`
	`687`	`+ ctx->size += padded_size;`
`681`	`688`	`}`
`682`	`689`	`}`
`683`	`690`