From 0d8107b2828eeea63384fa740b5ba6718b2c42f1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 21:45:27 +0000 Subject: [PATCH 1/3] Initial plan From 9d8fc43dcc95e68d0c70ec6fea2bff0be580e4a7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 21:47:04 +0000 Subject: [PATCH 2/3] Add bounds check for negative indices in ArrayFeatureExtractor Co-authored-by: hariharans29 <9969784+hariharans29@users.noreply.github.com> --- .../core/providers/cpu/ml/array_feature_extractor.cc | 4 ++-- .../test/providers/cpu/ml/array_feature_extractor_test.cc | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc b/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc index af67419f4fb91..6b0ac0aecd42b 100644 --- a/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc +++ b/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc @@ -73,10 +73,10 @@ common::Status ArrayFeatureExtractorOp::Compute(OpKernelContext* context) con } for (int64_t i = 0; i < num_indices; ++i) { - if (y_data[i] >= stride) { + if (y_data[i] < 0 || y_data[i] >= stride) { return ORT_MAKE_STATUS( ONNXRUNTIME, INVALID_ARGUMENT, - "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") >=", stride); + "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") must be in [0,", stride, ")"); } } diff --git a/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc b/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc index c7fc73456dcba..6c12fc5964125 100644 --- a/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc +++ b/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc @@ -109,5 +109,12 @@ TEST_F(ArrayFeatureExtractorTest, InvalidInputOutOfBoundsY) { test_.Run(OpTester::ExpectResult::kExpectFailure); } +TEST_F(ArrayFeatureExtractorTest, InvalidInputNegativeY) { + test_.AddInput("X", {10, 1}, {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}); + test_.AddInput("Y", {1}, {-10}); + test_.AddOutput("Z", {0}, {}); + test_.Run(OpTester::ExpectResult::kExpectFailure); +} + } // namespace test } // namespace onnxruntime From 9b6915fd45a4764664245e5e15d075d4f41084bd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 22:42:19 +0000 Subject: [PATCH 3/3] Fix out-of-bounds read vulnerability in ArrayFeatureExtractor Co-authored-by: hariharans29 <9969784+hariharans29@users.noreply.github.com> --- onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc | 2 +- .../test/providers/cpu/ml/array_feature_extractor_test.cc | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc b/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc index 6b0ac0aecd42b..60ebf862e1601 100644 --- a/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc +++ b/onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc @@ -76,7 +76,7 @@ common::Status ArrayFeatureExtractorOp::Compute(OpKernelContext* context) con if (y_data[i] < 0 || y_data[i] >= stride) { return ORT_MAKE_STATUS( ONNXRUNTIME, INVALID_ARGUMENT, - "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") must be in [0,", stride, ")"); + "Invalid Y argument: index is out of range: Y[", i, "] (", y_data[i], ") must be in [0, ", stride, ")"); } } diff --git a/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc b/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc index 6c12fc5964125..671ada7d36383 100644 --- a/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc +++ b/onnxruntime/test/providers/cpu/ml/array_feature_extractor_test.cc @@ -112,6 +112,7 @@ TEST_F(ArrayFeatureExtractorTest, InvalidInputOutOfBoundsY) { TEST_F(ArrayFeatureExtractorTest, InvalidInputNegativeY) { test_.AddInput("X", {10, 1}, {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}); test_.AddInput("Y", {1}, {-10}); + // Should fail due to negative index -10 test_.AddOutput("Z", {0}, {}); test_.Run(OpTester::ExpectResult::kExpectFailure); }