Upload README.md with huggingface_hub

README.md

@@ -1,26 +1,56 @@
-# Darknet Integer Overflow PoC
+# Darknet Integer Overflow in make_convolutional_layer()
 
-## Vulnerability
-Integer overflow in `make_convolutional_layer()` in `src/convolutional_layer.c`.
+## Vulnerability Summary
 
-The calculation `l.nweights = (c / groups) * n * size * size` uses 32-bit `int` arithmetic with no overflow check. With crafted config values (`channels=65536, filters=65536, size=1`), `nweights` overflows to 0, causing `xcalloc(0, sizeof(float))` to allocate a zero-sized buffer. The forward pass then reads from this undersized buffer → heap buffer over-read.
+Darknet's `make_convolutional_layer()` in `src/convolutional_layer.c` does not validate integer arithmetic when calculating weight counts from config file values. An attacker who provides a malicious `.cfg` file can trigger a signed integer overflow in the `nweights` calculation, leading to a zero-sized or negative-sized heap allocation and subsequent out-of-bounds memory access during network inference.
+
+## Technical Details
+
+**Location**: `src/convolutional_layer.c`, function `make_convolutional_layer()`, line ~543
+
+```c
+l.nweights = (c / groups) * n * size * size;
+```
+
+All variables are `int` (32-bit signed). No overflow check is performed.
+
+**Trigger**: Config values `channels=46341, filters=46341, size=1, groups=1`
+- `nweights = 46341 * 46341 * 1 * 1 = 2,147,488,281`
+- This exceeds `INT_MAX` (2,147,483,647) and wraps to **-2,147,479,015**
+
+**Consequences**:
+1. `l.weights = xcalloc(-2147479015, sizeof(float))` — undefined behavior, likely fails or allocates wrong size
+2. `l.binary_weights = xcalloc(-2147479015, sizeof(float))` — same issue
+3. Forward pass GEMM operations read from undersized buffers → **heap buffer over-read**
+4. Potential for information disclosure or code execution depending on memory layout
 
 ## PoC Files
-- `poc_overflow.cfg` — Malicious config file that triggers the overflow
+
+- `poc_overflow.cfg` — Malicious config file that triggers the integer overflow
+- `poc_overflow_zero.cfg` — Variant that causes nweights to overflow to exactly 0
 
 ## Reproduction
+
 ```bash
 git clone https://github.com/AlexeyAB/darknet.git
 cd darknet
-make
+# Build with ASan to detect the overflow
+CFLAGS="-fsanitize=address -g -fno-omit-frame-pointer" make
 ./darknet detector test poc_overflow.cfg
 # ASan will report: calloc parameters overflow / heap-buffer-overflow
 ```
 
-## Impact
-- Heap buffer over-read during network inference
-- Potential information disclosure or code execution depending on memory layout
-- CVSS: High
+## Novelty
+
+- No existing CVEs for Darknet on GitHub Security Advisories or NVD
+- No existing Huntr submissions for Darknet
+- No security-related commits on `convolutional_layer.c` since 2021
+- The vulnerability is in the config parser's math, not in model file loading
+
+## Severity
+
+**High** — Integer overflow leading to heap buffer over-read. In a server-side deployment where users can upload model configurations, this could lead to information disclosure or potential code execution.
 
 ## Discovery
-Found by Clawd (OWL) for Huntr bug bounty program.
+
+Found by Clawd (OWL) for Huntr bug bounty program, May 2026.