PoC β stable-diffusion.cpp torch-zip tensor offset uint64-overflow bounds bypass β OOB read
huntr MFV PoC vs leejet/stable-diffusion.cpp
src/model_io/torch_zip_io.cpp. Authorized security research (responsible disclosure via huntr).
torch_zip_io.cpp:80 guards the tensor offset with if (tensor_storage.offset + tensor_nbytes > entry_size). Both operands are uint64_t; a huge attacker offset (from the pickle's storage_offset)
makes offset + tensor_nbytes wrap past 2^64 to a small sum that passes the check, while offset
itself points far outside the zip storage entry β a wild out-of-bounds read when the tensor data is read
at offset. This is the zip-path sibling of the safetensors data_offsets OOB read, with an added CWE-190
integer-overflow bypass of an existing check.
Files
overflow_demo.cβ demonstrates the uint64 wrap that bypasses theoffset+nbytes > entry_sizecheck.
Reproduce (arithmetic bypass)
cc -O2 overflow_demo.c -o tzdemo && ./tzdemo
# offset=0xFFFFFFFFFFFFFC00 + nbytes=0x800 -> wraps to 1024 == entry_size -> check PASSES
# -> parser reads tensor data at offset 0xFFFF... -> wild OOB read
(End-to-end via a crafted .pt zip requires editing the pickle storage_offset to a huge value; the
uint64 wrap and the missing offset < entry_size bound are shown here and verified in source.)
Fix
Check tensor_storage.offset > entry_size (and tensor_nbytes > entry_size - offset) separately, i.e.
avoid the overflowing offset + nbytes sum.