Skip to content

Security: Out-of-bounds array access in GatherScatterCpu due to unchecked edge indices#2032

Open
barttran2k wants to merge 1 commit into
facebookresearch:mainfrom
barttran2k:contribai/fix/security/out-of-bounds-array-access-in-gatherscat
Open

Security: Out-of-bounds array access in GatherScatterCpu due to unchecked edge indices#2032
barttran2k wants to merge 1 commit into
facebookresearch:mainfrom
barttran2k:contribai/fix/security/out-of-bounds-array-access-in-gatherscat

Conversation

@barttran2k

Copy link
Copy Markdown

Problem

The function GatherScatterCpu reads vertex indices v0 and v1 from the edges tensor and uses them directly to index into the input and output arrays without validating that they fall within [0, num_vertices). A malformed edges tensor with indices exceeding the vertex count could lead to out-of-bounds memory reads and writes, potentially causing memory corruption or information disclosure.

Severity: high
File: pytorch3d/csrc/gather_scatter/gather_scatter_cpu.cpp

Solution

Add bounds checks before accessing arrays with edge-derived indices: TORCH_CHECK(v0 >= 0 && v0 < num_vertices && v1 >= 0 && v1 < num_vertices, "Edge vertex index out of bounds");

Changes

  • pytorch3d/csrc/gather_scatter/gather_scatter_cpu.cpp (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

The function `GatherScatterCpu` reads vertex indices `v0` and `v1` from the `edges` tensor and uses them directly to index into the `input` and `output` arrays without validating that they fall within `[0, num_vertices)`. A malformed `edges` tensor with indices exceeding the vertex count could lead to out-of-bounds memory reads and writes, potentially causing memory corruption or information disclosure.

Affected files: gather_scatter_cpu.cpp

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
@meta-cla

meta-cla Bot commented Apr 6, 2026

Copy link
Copy Markdown

Hi @barttran2k!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant