Commit 7ad0de5
authored
Fix DoS vulnerability in FuseReluClip: handle empty tensor (#26878)
### Description
This PR fixes a null pointer dereference crash in the
FuseReluClip::Apply() optimizer rule when the Clip node's min input is
an empty tensor (e.g., shape [0, 0, 0, 0]).
#### Root Cause
When the clip_min initializer has zero elements, the Initializer class
constructs an empty tensor with a null or invalid
data_pointer. The code then attempts to dereference this pointer without
checking if the tensor has any elements:
```
cpp
Initializer i(graph, *initializer, graph.ModelPath());
switch (data_type) {
case ONNX_NAMESPACE::TensorProto_DataType_FLOAT:
if (*i.data<float>() < 0.f) { // ← Crash: null pointer dereference
```
#### Fix
Added a size check before accessing the initializer's data. If the
tensor is empty (which is invalid per ONNX spec for the min input), the
optimization is gracefully skipped:
```
cpp
Initializer i(graph, *initializer, graph.ModelPath());
// Empty tensor is invalid for 'min' input - skip optimization to avoid null pointer dereference
if (i.size() == 0) {
return Status::OK();
}
switch (data_type) {
```
#### Motivation and Context
Security: A malformed ONNX model with an empty clip_min tensor could
crash the ONNX Runtime session, causing a local Denial of Service.
Robustness: While the specific trigger condition (empty tensor for min)
is invalid per the ONNX spec, the optimizer should handle this
gracefully without crashing.
The fix ensures malformed models won't crash during graph optimization.
The Relu→Clip fusion will simply be skipped for invalid models, allowing
subsequent validation to handle the error appropriately.1 parent 1a112a2 commit 7ad0de5
1 file changed
+6
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
57 | 57 | | |
58 | 58 | | |
59 | 59 | | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
60 | 66 | | |
61 | 67 | | |
62 | 68 | | |
| |||
0 commit comments