| license: mit | |
| tags: | |
| - security-research | |
| - poc | |
| # Security PoC — ctransformers GGUF loader input validation | |
| **Purpose:** huntr Model-File-Format (MFV) vulnerability report PoC. Not a real model. | |
| `bad_type.gguf` is a 57-byte crafted GGUF (v3) whose single tensor declares an | |
| out-of-range `type` field. The vendored (2023-frozen) ggml/llama.cpp parser inside | |
| `ctransformers` uses this file-controlled `type` value as an index into the fixed | |
| `type_traits[GGML_TYPE_COUNT]` table with no range check, causing an out-of-bounds | |
| read when the file is loaded via `AutoModelForCausalLM.from_pretrained(...)`. | |
| Reproduce: | |
| ```python | |
| from ctransformers import AutoModelForCausalLM | |
| AutoModelForCausalLM.from_pretrained("bad_type.gguf", model_type="llama") | |
| # -> OSError: access violation reading 0xFFFFFFFFFFFFFFFF (OOB read) | |
| ``` | |
| Access-restricted (gated) — for vulnerability triage only. | |