PoC β€” stable-diffusion.cpp torch-zip tensor offset uint64-overflow bounds bypass β†’ OOB read

huntr MFV PoC vs leejet/stable-diffusion.cpp src/model_io/torch_zip_io.cpp. Authorized security research (responsible disclosure via huntr).

torch_zip_io.cpp:80 guards the tensor offset with if (tensor_storage.offset + tensor_nbytes > entry_size). Both operands are uint64_t; a huge attacker offset (from the pickle's storage_offset) makes offset + tensor_nbytes wrap past 2^64 to a small sum that passes the check, while offset itself points far outside the zip storage entry β€” a wild out-of-bounds read when the tensor data is read at offset. This is the zip-path sibling of the safetensors data_offsets OOB read, with an added CWE-190 integer-overflow bypass of an existing check.

Files

  • overflow_demo.c β€” demonstrates the uint64 wrap that bypasses the offset+nbytes > entry_size check.

Reproduce (arithmetic bypass)

cc -O2 overflow_demo.c -o tzdemo && ./tzdemo
# offset=0xFFFFFFFFFFFFFC00 + nbytes=0x800 -> wraps to 1024 == entry_size -> check PASSES
# -> parser reads tensor data at offset 0xFFFF... -> wild OOB read

(End-to-end via a crafted .pt zip requires editing the pickle storage_offset to a huge value; the uint64 wrap and the missing offset < entry_size bound are shown here and verified in source.)

Fix

Check tensor_storage.offset > entry_size (and tensor_nbytes > entry_size - offset) separately, i.e. avoid the overflowing offset + nbytes sum.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support