Stack buffer overflow in prepare_input_tensors() due to unchecked memcpy size by lucylq · Pull Request #16797 · pytorch/executorch

lucylq · 2026-01-22T21:20:02Z

Summary

Add size checks for int, double, bool before memcpying. Otherwise the input buffer may be larger than the intended size and overwrite adjacent memory.

Test Plan

(executorch) [lfq@devvm20128.prn0 /data/users/lfq/executorch/build (lfq.check-size-before-memcpy)]$ ctest -R extension_runner_util_test -V
...
54: [ RUN      ] InputsTest.DoubleInputWrongSizeFails
54: E 00:00:00.001251 executorch:inputs.cpp:101] Double input at index 2 has size 16, expected sizeof(double) 8
54: [       OK ] InputsTest.DoubleInputWrongSizeFails (0 ms)
...

1/1 Test #54: extension_runner_util_test .......   Passed    0.01 sec

The following tests passed:
        extension_runner_util_test

100% tests passed, 0 tests failed out of 1

Total Test time (real) =   0.01 sec

pytorch-bot · 2026-01-22T21:20:07Z

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/16797

📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

❌ 1 New Failure, 8 Pending

As of commit b1dadab with merge base 86b4bea ():

NEW FAILURE - The following job has failed:

Test CUDA Builds / test-model-cuda-e2e (mistralai, Voxtral-Mini-3B-2507, quantized-int4-tile-packed) / linux-job (gh)
RuntimeError: Command docker exec -t cf67a1d14436aa849ba7ec07fe3db4fe165652d572aa25e665bd6ebbc5e16a58 /exec failed with exit code 1

This comment was automatically generated by Dr. CI and updates every 15 minutes.

github-actions · 2026-01-22T21:21:00Z

This PR needs a `release notes:` label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

Copilot

Pull request overview

Mitigates a stack buffer overflow risk in prepare_input_tensors() by validating scalar input buffer sizes before copying into stack-allocated variables.

Changes:

Add strict size checks for Tag::Int (int64_t), Tag::Double (double), and Tag::Bool (bool) inputs prior to memcpy.
Return InvalidArgument with a descriptive error when the provided scalar buffer size is unexpected.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

extension/runner_util/inputs.cpp

mergennachin · 2026-01-22T22:04:29Z

Can you add a regression test?

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

extension/runner_util/inputs.cpp

extension/runner_util/test/inputs_test.cpp

extension/runner_util/inputs.cpp

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

extension/runner_util/inputs.cpp

lucylq · 2026-01-23T18:42:57Z

Can you add a regression test?

@mergennachin added one for double. Feel like that should be OK as it's the same logic, and adding tests for bool/int would need new models to export_program.py that take in bool/int as input. But let me know what you think

extension/runner_util/inputs.cpp

larryliu0820

Left some non-blocking comments

Copilot

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

extension/runner_util/test/CMakeLists.txt

Copilot

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

extension/runner_util/test/inputs_test.cpp

Copilot

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

extension/runner_util/test/inputs_test.cpp

meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jan 22, 2026

lucylq marked this pull request as ready for review January 22, 2026 21:22

lucylq requested review from JacobSzwejbka, Copilot and mergennachin January 22, 2026 21:22

Copilot started reviewing on behalf of lucylq January 22, 2026 21:22 View session

lucylq added the security-fix label Jan 22, 2026

Copilot AI reviewed Jan 22, 2026

View reviewed changes

extension/runner_util/inputs.cpp Outdated Show resolved Hide resolved

extension/runner_util/inputs.cpp Outdated Show resolved Hide resolved

lucylq force-pushed the lfq.check-size-before-memcpy branch from b0e5c6d to 8c8d7dc Compare January 23, 2026 00:52

lucylq requested a review from Copilot January 23, 2026 00:55

Copilot started reviewing on behalf of lucylq January 23, 2026 00:56 View session

Copilot AI reviewed Jan 23, 2026

View reviewed changes

lucylq force-pushed the lfq.check-size-before-memcpy branch from 8c8d7dc to c621f13 Compare January 23, 2026 01:13

Copilot AI review requested due to automatic review settings January 23, 2026 01:14

lucylq force-pushed the lfq.check-size-before-memcpy branch from c621f13 to 33aa861 Compare January 23, 2026 01:14

Copilot started reviewing on behalf of lucylq January 23, 2026 01:14 View session

lucylq force-pushed the lfq.check-size-before-memcpy branch from 33aa861 to 8090b55 Compare January 23, 2026 01:14

Copilot AI reviewed Jan 23, 2026

View reviewed changes

extension/runner_util/inputs.cpp Show resolved Hide resolved

larryliu0820 reviewed Jan 27, 2026

View reviewed changes

extension/runner_util/inputs.cpp Show resolved Hide resolved

larryliu0820 approved these changes Jan 27, 2026

View reviewed changes

lucylq force-pushed the lfq.check-size-before-memcpy branch from 8090b55 to 801f5a3 Compare January 27, 2026 23:01

lucylq requested a review from kirklandsign as a code owner January 27, 2026 23:01

lucylq requested a review from Copilot January 27, 2026 23:04

Copilot started reviewing on behalf of lucylq January 27, 2026 23:05 View session

Copilot AI reviewed Jan 27, 2026

View reviewed changes

extension/runner_util/test/CMakeLists.txt Show resolved Hide resolved

lucylq force-pushed the lfq.check-size-before-memcpy branch from 801f5a3 to e95bc65 Compare January 27, 2026 23:23

lucylq requested a review from Copilot January 27, 2026 23:24

Copilot started reviewing on behalf of lucylq January 27, 2026 23:24 View session

Copilot AI reviewed Jan 27, 2026

View reviewed changes

extension/runner_util/test/inputs_test.cpp Outdated Show resolved Hide resolved

extension/runner_util/test/inputs_test.cpp Outdated Show resolved Hide resolved

extension/runner_util/test/inputs_test.cpp Show resolved Hide resolved

lucylq force-pushed the lfq.check-size-before-memcpy branch from e95bc65 to 1f63405 Compare January 28, 2026 01:26

Copilot AI review requested due to automatic review settings January 28, 2026 01:31

lucylq force-pushed the lfq.check-size-before-memcpy branch from 1f63405 to 9c75403 Compare January 28, 2026 01:31

Copilot started reviewing on behalf of lucylq January 28, 2026 01:32 View session

Copilot AI reviewed Jan 28, 2026

View reviewed changes

extension/runner_util/test/inputs_test.cpp Show resolved Hide resolved

extension/runner_util/test/inputs_test.cpp Outdated Show resolved Hide resolved

extension/runner_util/test/inputs_test.cpp Show resolved Hide resolved

extension/runner_util/test/inputs_test.cpp Show resolved Hide resolved

Check size before memcpy

b1dadab

lucylq force-pushed the lfq.check-size-before-memcpy branch from 9c75403 to b1dadab Compare January 28, 2026 20:40

lucylq merged commit 161d535 into main Jan 28, 2026
169 of 172 checks passed

lucylq deleted the lfq.check-size-before-memcpy branch January 28, 2026 22:10

Conversation

lucylq commented Jan 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test Plan

Uh oh!

pytorch-bot bot commented Jan 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/16797

❌ 1 New Failure, 8 Pending

Uh oh!

github-actions bot commented Jan 22, 2026

This PR needs a release notes: label

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

mergennachin commented Jan 22, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

lucylq commented Jan 23, 2026

Uh oh!

Uh oh!

larryliu0820 left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

lucylq commented Jan 22, 2026 •

edited

Loading

pytorch-bot bot commented Jan 22, 2026 •

edited

Loading

This PR needs a `release notes:` label