Skip to content

operators: guard unpooling indirection buffer size against overflow#10782

Open
destro4evr-rgb wants to merge 1 commit into
google:masterfrom
destro4evr-rgb:fix/unpooling-indirection-size-overflow
Open

operators: guard unpooling indirection buffer size against overflow#10782
destro4evr-rgb wants to merge 1 commit into
google:masterfrom
destro4evr-rgb:fix/unpooling-indirection-size-overflow

Conversation

@destro4evr-rgb

@destro4evr-rgb destro4evr-rgb commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

xnn_reshape_unpooling2d_nhwc_x32 computed the indirection buffer size as a raw four-factor product with no overflow guard:

const size_t pooling_size = pooling_height * pooling_width;
// ...
const size_t indirection_buffer_size =
    sizeof(void*) * (batch_size * input_height * input_width * pooling_size);

On 32-bit targets (WebAssembly, ARM32) where size_t is 32 bits and sizeof(void*) = 4, the product overflows when its true value exceeds 2²⁸. The wrapped result causes xnn_reallocate_memory to return an undersized allocation; xnn_indirection_init_unpool2d then writes the full intended extent of pointer entries out of bounds - a heap out-of-bounds write.

This fix replaces the raw product with a xnn_safe_mul chain that returns xnn_status_out_of_memory on overflow, consistent with the pattern used in average-pooling-nhwc.c and argmax-pooling-nhwc.c.

xnn_reshape_unpooling2d_nhwc_x32 computed the indirection buffer size
with a raw four-factor multiplication (batch_size * input_height *
input_width * pooling_size * sizeof(void*)) with no overflow check.
Large caller-supplied dimensions silently wrap the product to a value far
smaller than required. xnn_reallocate_memory then returns a valid pointer
to an undersized buffer, and xnn_indirection_init_unpool2d subsequently
writes the full (attacker-sized) number of pointer entries out of bounds.

Replace the raw multiplication with chained xnn_safe_mul calls, matching
the pattern already used in argmax-pooling-nhwc.c and average-pooling-nhwc.c
after PR google#10646.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant