From 303ae289c5fab5e16b13d76515a099e5e86306d9 Mon Sep 17 00:00:00 2001
From: sshekhar563 <shekharsiddhant93@gmail.com>
Date: Mon, 6 Oct 2025 19:52:57 +0530
Subject: [PATCH 1/4] Fix: Prevent out-of-bounds read in dequantize merge

---
 .../graph_optimizer/prepare_quantization.cpp  | 35 ++++++++++++-------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
index 9f67ec1d2f9aca..63880f7c98369c 100644
--- a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
+++ b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
@@ -368,23 +368,32 @@ void prepare_quantization::prepare_dequantize_merge(program& p, eltwise_node& el
         if (!valid_scale_node)
             continue;
 
-        bool same_params = true;
-        for (size_t i = 1; i < eltwise_node.get_dependencies().size(); i++) {
-            auto mem0 = get_scale_shift_mem(eltwise_dep, i);
-            auto mem1 = get_scale_shift_mem(eltwise_node, i);
+      //...
+       bool same_params = true;
+       for (size_t i = 1; i < eltwise_node.get_dependencies().size(); i++) {
+        auto mem0 = get_scale_shift_mem(eltwise_dep, i);
+       auto mem1 = get_scale_shift_mem(eltwise_node, i);
+
+        // ✅ FIXED: Check sizes first!
+        if (mem0->get_layout().bytes_count() != mem1->get_layout().bytes_count()) {
+            same_params = false;
+            // No need to check the rest of the dependencies if one is already different
+            break; 
+        }
 
             mem_lock<uint8_t, mem_lock_type::read> mem0_lock{mem0, stream};
             mem_lock<uint8_t, mem_lock_type::read> mem1_lock{mem1, stream};
-            auto ptr0 = mem0_lock.data();
-            auto ptr1 = mem1_lock.data();
-
-            for (size_t j = 0; j < mem0->get_layout().bytes_count(); j++) {
-                if (ptr0[j] != ptr1[j]) {
-                    same_params = false;
-                    break;
-                }
+             auto ptr0 = mem0_lock.data();
+              auto ptr1 = mem1_lock.data();
+
+        // Now this loop is safe
+         for (size_t j = 0; j < mem0->get_layout().bytes_count(); j++) {
+               if (ptr0[j] != ptr1[j]) {
+                   same_params = false;
+                       break;
+                 }
             }
-
+//...
             // Avoid mem0 and mem1's memory are inplace, but they have different layout.
             if (!mem0->get_layout().get_partial_shape().compatible(mem1->get_layout().get_partial_shape())) {
                 same_params = false;

From 61814324c7d304337bface960900bc0bf0676433 Mon Sep 17 00:00:00 2001
From: Siddhant Shekhar <shekharsiddhant93@gmail.com>
Date: Mon, 6 Oct 2025 20:12:08 +0530
Subject: [PATCH 2/4] Update prepare_quantization.cpp

---
 .../src/graph/graph_optimizer/prepare_quantization.cpp          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
index c058509d7142cb..c69fc43e9b4a76 100644
--- a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
+++ b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
@@ -374,7 +374,7 @@ void prepare_quantization::prepare_dequantize_merge(program& p, eltwise_node& el
         auto mem0 = get_scale_shift_mem(eltwise_dep, i);
        auto mem1 = get_scale_shift_mem(eltwise_node, i);
 
-        // ✅ FIXED: Check sizes first!
+        //  FIXED: Check sizes first!
         if (mem0->get_layout().bytes_count() != mem1->get_layout().bytes_count()) {
             same_params = false;
             // No need to check the rest of the dependencies if one is already different

From 44ad61160b73ce6a0e8a2332951a469c85b76738 Mon Sep 17 00:00:00 2001
From: Siddhant Shekhar <shekharsiddhant93@gmail.com>
Date: Mon, 6 Oct 2025 21:06:22 +0530
Subject: [PATCH 3/4] Update prepare_quantization.cpp

---
 .../src/graph/graph_optimizer/prepare_quantization.cpp      | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
index c69fc43e9b4a76..e88c3911e256ef 100644
--- a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
+++ b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
@@ -368,32 +368,26 @@ void prepare_quantization::prepare_dequantize_merge(program& p, eltwise_node& el
         if (!valid_scale_node)
             continue;
 
-      //...
        bool same_params = true;
        for (size_t i = 1; i < eltwise_node.get_dependencies().size(); i++) {
         auto mem0 = get_scale_shift_mem(eltwise_dep, i);
        auto mem1 = get_scale_shift_mem(eltwise_node, i);
 
-        //  FIXED: Check sizes first!
         if (mem0->get_layout().bytes_count() != mem1->get_layout().bytes_count()) {
             same_params = false;
-            // No need to check the rest of the dependencies if one is already different
             break; 
         }
-
             mem_lock<uint8_t, mem_lock_type::read> mem0_lock{mem0, stream};
             mem_lock<uint8_t, mem_lock_type::read> mem1_lock{mem1, stream};
              auto ptr0 = mem0_lock.data();
               auto ptr1 = mem1_lock.data();
 
-        // Now this loop is safe
          for (size_t j = 0; j < mem0->get_layout().bytes_count(); j++) {
                if (ptr0[j] != ptr1[j]) {
                    same_params = false;
                        break;
                  }
             }
-//...
             // Avoid mem0 and mem1's memory are inplace, but they have different layout.
             if (!mem0->get_layout().get_partial_shape().compatible(mem1->get_layout().get_partial_shape())) {
                 same_params = false;

From f1244ce776970080e9ad91f5d73b66087189fc65 Mon Sep 17 00:00:00 2001
From: Siddhant Shekhar <shekharsiddhant93@gmail.com>
Date: Tue, 7 Oct 2025 11:12:47 +0530
Subject: [PATCH 4/4] Update prepare_quantization.cpp

---
 .../graph_optimizer/prepare_quantization.cpp  | 35 ++++++++++---------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
index e88c3911e256ef..fa87561833e667 100644
--- a/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
+++ b/src/plugins/intel_gpu/src/graph/graph_optimizer/prepare_quantization.cpp
@@ -368,25 +368,26 @@ void prepare_quantization::prepare_dequantize_merge(program& p, eltwise_node& el
         if (!valid_scale_node)
             continue;
 
-       bool same_params = true;
-       for (size_t i = 1; i < eltwise_node.get_dependencies().size(); i++) {
-        auto mem0 = get_scale_shift_mem(eltwise_dep, i);
-       auto mem1 = get_scale_shift_mem(eltwise_node, i);
-
-        if (mem0->get_layout().bytes_count() != mem1->get_layout().bytes_count()) {
-            same_params = false;
-            break; 
-        }
+        bool same_params = true;
+        for (size_t i = 1; i < eltwise_node.get_dependencies().size(); i++) {
+            auto mem0 = get_scale_shift_mem(eltwise_dep, i);
+            auto mem1 = get_scale_shift_mem(eltwise_node, i);
+            
+            if (mem0->get_layout().bytes_count() != mem1->get_layout().bytes_count()) {
+                same_params = false;
+                break;
+            }
+
             mem_lock<uint8_t, mem_lock_type::read> mem0_lock{mem0, stream};
             mem_lock<uint8_t, mem_lock_type::read> mem1_lock{mem1, stream};
-             auto ptr0 = mem0_lock.data();
-              auto ptr1 = mem1_lock.data();
-
-         for (size_t j = 0; j < mem0->get_layout().bytes_count(); j++) {
-               if (ptr0[j] != ptr1[j]) {
-                   same_params = false;
-                       break;
-                 }
+            auto ptr0 = mem0_lock.data();
+            auto ptr1 = mem1_lock.data();
+
+            for (size_t j = 0; j < mem0->get_layout().bytes_count(); j++) {
+                if (ptr0[j] != ptr1[j]) {
+                    same_params = false;
+                    break;
+                }
             }
             // Avoid mem0 and mem1's memory are inplace, but they have different layout.
             if (!mem0->get_layout().get_partial_shape().compatible(mem1->get_layout().get_partial_shape())) {