# Darknet Integer Overflow in make_convolutional_layer()

## Vulnerability Summary

Darknet's `make_convolutional_layer()` in `src/convolutional_layer.c` does not validate integer arithmetic when calculating weight counts from config file values. An attacker who provides a malicious `.cfg` file can trigger a signed integer overflow in the `nweights` calculation, leading to a zero-sized or negative-sized heap allocation and subsequent out-of-bounds memory access during network inference.

## Technical Details

**Location**: `src/convolutional_layer.c`, function `make_convolutional_layer()`, line ~543

```c
l.nweights = (c / groups) * n * size * size;
```

All variables are `int` (32-bit signed). No overflow check is performed.

**Trigger**: Config values `channels=46341, filters=46341, size=1, groups=1`
- `nweights = 46341 * 46341 * 1 * 1 = 2,147,488,281`
- This exceeds `INT_MAX` (2,147,483,647) and wraps to **-2,147,479,015**

**Consequences**:
1. `l.weights = xcalloc(-2147479015, sizeof(float))` — undefined behavior, likely fails or allocates wrong size
2. `l.binary_weights = xcalloc(-2147479015, sizeof(float))` — same issue
3. Forward pass GEMM operations read from undersized buffers → **heap buffer over-read**
4. Potential for information disclosure or code execution depending on memory layout

## PoC Files

- `poc_overflow.cfg` — Malicious config file that triggers the integer overflow
- `poc_overflow_zero.cfg` — Variant that causes nweights to overflow to exactly 0

## Reproduction

```bash
git clone https://github.com/AlexeyAB/darknet.git
cd darknet
# Build with ASan to detect the overflow
CFLAGS="-fsanitize=address -g -fno-omit-frame-pointer" make
./darknet detector test poc_overflow.cfg
# ASan will report: calloc parameters overflow / heap-buffer-overflow
```

## Novelty

- No existing CVEs for Darknet on GitHub Security Advisories or NVD
- No existing Huntr submissions for Darknet
- No security-related commits on `convolutional_layer.c` since 2021
- The vulnerability is in the config parser's math, not in model file loading

## Severity

**High** — Integer overflow leading to heap buffer over-read. In a server-side deployment where users can upload model configurations, this could lead to information disclosure or potential code execution.

## Discovery

Found by Clawd (OWL) for Huntr bug bounty program, May 2026.