File size: 1,367 Bytes
4042a56 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | # llama.cpp Jinja2 Template Parser Stack Overflow PoC
## Vulnerability
**Type:** Stack Overflow via Uncontrolled Recursion (CWE-674)
**Location:** `common/jinja/parser.cpp` — recursive descent parser with no depth limit
**Severity:** Medium (CVSS 5.5) — DoS via crafted GGUF model file
**Tested:** llama.cpp commit c5ce4bc (2026-04-08)
## Root Cause
The Jinja2 template parser uses recursive descent with NO recursion depth limit.
A GGUF file with ~5,500+ levels of nested `{% if %}` blocks in `tokenizer.chat_template`
causes SIGSEGV (stack overflow) when any llama.cpp application loads the model.
## Crash Output
```
Depth 5000: Parser completed (OK)
Depth 5500: core dumped (SIGSEGV!)
Depth 10000: core dumped (SIGSEGV!)
```
## Files
- `poc_parser_stackoverflow.gguf` — Crafted GGUF with 50,000 nested if-blocks (~1.2 MB)
- `poc_recursive_macro.gguf` — Recursive macro that crashes at runtime (244 bytes)
- `poc_range_oom.gguf` — Unbounded range() causing OOM (203 bytes)
- `create_poc_jinja.py` — Generator script for all PoC variants
## Reproduction
```bash
# Build llama.cpp, then:
llama-server -m poc_parser_stackoverflow.gguf
# Result: Segmentation fault (core dumped)
```
## Suggested Fix
Add `MAX_PARSE_DEPTH` counter to recursive descent functions in parser.cpp.
**License:** MIT | **Researcher:** neimasilk | **Disclosure:** huntr.com
|