Fix out-of-bounds read vulnerability in ArrayFeatureExtractor

Copilot · hariharans29 · Copilot · commit 9b6915fd45a4 · 2026-02-06T22:42:19.000Z
Co-authored-by: hariharans29 &lt;9969784+hariharans29@users.noreply.github.com&gt;
diff --git a/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc b/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc
@@ -76,7 +76,7 @@ common::Status ArrayFeatureExtractorOp<T>::Compute(OpKernelContext* context) con
     if (y_data[i] < 0 || y_data[i] >= stride) {
       return ORT_MAKE_STATUS(
           ONNXRUNTIME, INVALID_ARGUMENT,
-          "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") must be in [0,", stride, ")");
+          "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") must be in [0, ", stride, ")");
     }
   }
 
diff --git a/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc b/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc
@@ -112,6 +112,7 @@ TEST_F(ArrayFeatureExtractorTest, InvalidInputOutOfBoundsY) {
 TEST_F(ArrayFeatureExtractorTest, InvalidInputNegativeY) {
   test_.AddInput<int64_t>("X", {10, 1}, {0, 1, 2, 3, 4, 5, 6, 7, 8, 9});
   test_.AddInput<int64_t>("Y", {1}, {-10});
+  // Should fail due to negative index -10
   test_.AddOutput<int64_t>("Z", {0}, {});
   test_.Run(OpTester::ExpectResult::kExpectFailure);
 }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ common::Status ArrayFeatureExtractorOp<T>::Compute(OpKernelContext* context) con`
`76`	`76`	`if (y_data[i] < 0 \|\| y_data[i] >= stride) {`
`77`	`77`	`return ORT_MAKE_STATUS(`
`78`	`78`	`ONNXRUNTIME, INVALID_ARGUMENT,`
`79`		`- "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") must be in [0,", stride, ")");`
	`79`	`+ "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") must be in [0, ", stride, ")");`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`
Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,7 @@ TEST_F(ArrayFeatureExtractorTest, InvalidInputOutOfBoundsY) {`
`112`	`112`	`TEST_F(ArrayFeatureExtractorTest, InvalidInputNegativeY) {`
`113`	`113`	`test_.AddInput<int64_t>("X", {10, 1}, {0, 1, 2, 3, 4, 5, 6, 7, 8, 9});`
`114`	`114`	`test_.AddInput<int64_t>("Y", {1}, {-10});`
	`115`	`+ // Should fail due to negative index -10`
`115`	`116`	`test_.AddOutput<int64_t>("Z", {0}, {});`
`116`	`117`	`test_.Run(OpTester::ExpectResult::kExpectFailure);`
`117`	`118`	`}`