Darknet .weights loader โ heap out-of-bounds write PoC (numload)
Proof-of-concept artifacts for a coordinated-disclosure report (submitted privately via
Huntr) against the reference Darknet implementation (pjreddie/darknet).
A crafted Darknet model (.cfg + .weights) triggers a heap out-of-bounds write in
load_convolutional_weights (src/parser.c). The .cfg-controlled numload option
overrides the convolutional filter count used to size the loader's fread calls, while
the destination buffers were allocated using the original filters value. Setting
numload > filters makes fread write past the allocated l.biases / l.weights
heap buffers (CWE-787).
Files
| File | Purpose |
|---|---|
repro.cfg |
Minimal network config: one [convolutional] layer, filters=1, numload=100000 |
gen_weights.py |
Regenerates repro.weights (16-byte header + ~2 MB float32 payload) |
repro.weights |
The crafted weights file (benign payload of zeros) |
asan-output.txt |
AddressSanitizer trace of the out-of-bounds write |
Reproduce
# Build the reference implementation CPU-only with AddressSanitizer
make GPU=0 OPENCV=0 OPENMP=0 \
OPTS="-O0 -g -fsanitize=address -fno-omit-frame-pointer" \
LDFLAGS="-lm -pthread -fsanitize=address"
# (Optional) regenerate the weights file
python3 gen_weights.py repro.weights
# Trigger the load โ no image or data file required
./darknet partial repro.cfg repro.weights out.weights 1
AddressSanitizer reports a heap-buffer-overflow WRITE at parser.c:1172
(fread(l.biases, sizeof(float), l.n, fp) after l.n is overridden by numload),
against the 4-byte l.biases region allocated in make_convolutional_layer
(convolutional_layer.c:198).