From 033e1d8eb19d19e91ad967017270ccba3235558f Mon Sep 17 00:00:00 2001 From: Github Executorch Date: Wed, 4 Mar 2026 20:57:24 -0800 Subject: [PATCH] Fix integer overflow in program.cpp bounds checks (TOB-EXECUTORCH-17, TOB-EXECUTORCH-24) TOB-EXECUTORCH-17: In get_constant_buffer_data(), the bounds check `offset + nbytes <= size` can overflow when offset and nbytes are large. Replace with the overflow-safe pattern `offset <= size && nbytes <= size - offset`. TOB-EXECUTORCH-24: In Program::load(), the computation `segment_base_offset + segment_data_size` for the expected file size can overflow. Add an explicit overflow check before the addition to ensure the sum does not exceed SIZE_MAX. This PR was authored with the assistance of Claude. --- runtime/executor/program.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/runtime/executor/program.cpp b/runtime/executor/program.cpp index 60291a2acd1..d3662a12d1d 100644 --- a/runtime/executor/program.cpp +++ b/runtime/executor/program.cpp @@ -92,6 +92,12 @@ Result get_execution_plan( // is positive (0-value may indicate no segments) if ((segment_data_size == 0 && segment_base_offset == 0) || segment_data_size > 0) { + ET_CHECK_OR_RETURN_ERROR( + segment_base_offset <= SIZE_MAX - segment_data_size, + InvalidProgram, + "segment_base_offset %zu + segment_data_size %zu overflows", + segment_base_offset, + segment_data_size); size_t expected = segment_base_offset == 0 ? program_size : segment_base_offset + segment_data_size; @@ -395,7 +401,7 @@ Result Program::get_constant_buffer_data( size_t size = constant_segment_data_.size(); ET_CHECK_OR_RETURN_ERROR( - offset + nbytes <= size, + offset <= size && nbytes <= size - offset, InvalidArgument, "Constant segment offset %" PRIu64 " + size_bytes %zu invalid for program constant segment size %zu",