From: Miaoqian Lin <redacted>
Date: Wed, 9 Jul 2025 12:33:53 +0000 (+0800)
Subject: ggml : prevent integer overflow in gguf tensor size calculation (#14595)
X-Git-Tag: upstream/0.0.5882~28
X-Git-Url: https://git.djapps.eu/?a=commitdiff_plain;h=26a48ad699d50b6268900062661bd22f3e792579;p=pkg%2Fggml%2Fsources%2Fllama.cpp

ggml : prevent integer overflow in gguf tensor size calculation (#14595)
---

diff --git a/ggml/src/gguf.cpp b/ggml/src/gguf.cpp
index 5ffd12b8..53504399 100644
--- a/ggml/src/gguf.cpp
+++ b/ggml/src/gguf.cpp
@@ -631,7 +631,14 @@ struct gguf_context * gguf_init_from_file_impl(FILE * file, struct gguf_init_par
                 gguf_free(ctx);
                 return nullptr;
             }
-            ctx->size += GGML_PAD(ggml_nbytes(&ti.t), ctx->alignment);
+            size_t padded_size = GGML_PAD(ggml_nbytes(&ti.t), ctx->alignment);
+            if (SIZE_MAX - ctx->size < padded_size) {
+                GGML_LOG_ERROR("%s: tensor '%s' size overflow, cannot accumulate size %zu + %zu\n",
+                    __func__, ti.t.name, ctx->size, padded_size);
+                gguf_free(ctx);
+                return nullptr;
+            }
+            ctx->size += padded_size;
         }
     }