From: Rick G <redacted>
Date: Sun, 24 Mar 2024 21:45:56 +0000 (-0700)
Subject: Fix heap corruption from wmode out-of-bound writes on windows (llama/6272)
X-Git-Tag: upstream/0.0.1642~815
X-Git-Url: https://git.djapps.eu/?a=commitdiff_plain;h=fc815abac49a8d23d14eeb1060c5c87f1a0b0255;p=pkg%2Fggml%2Fsources%2Fggml

Fix heap corruption from wmode out-of-bound writes on windows (llama/6272)

* would throw error on VS2022 on GGML_FREE(wmode)
* wchar_t is usually 2 bytes, but malloc wants bytes
  * therefore `*wmode_p++ = (wchar_t)*mode;` could write off the end of the allocation
* Fixes error possibly introduced by https://github.com/ggerganov/llama.cpp/pull/6248
---

diff --git a/src/ggml.c b/src/ggml.c
index 18f10a3d..203a9e54 100644
--- a/src/ggml.c
+++ b/src/ggml.c
@@ -465,7 +465,7 @@ FILE * ggml_fopen(const char * fname, const char * mode) {
     wchar_t * wfname = ggml_mbstowcs(fname);
     if (wfname) {
         // convert mode (ANSI)
-        wchar_t * wmode = GGML_MALLOC(strlen(mode) + 1);
+        wchar_t * wmode = GGML_MALLOC((strlen(mode) + 1) * sizeof(wchar_t));
         wchar_t * wmode_p = wmode;
         do {
             *wmode_p++ = (wchar_t)*mode;