Add safe size checks for weights (#34483)

mangguo321 · web-flow · commit 6d2c43dfa661 · 2026-03-13T02:35:33.000Z
### Details: - *Add safe size checks to avoid Buffer Overflow when parsing Paddle Frontend Weight File* ### Tickets: - *CVS-182171*
diff --git a/src/frontends/paddle/src/input_model.cpp b/src/frontends/paddle/src/input_model.cpp
@@ -8,12 +8,14 @@
 #if defined(__MINGW32__) || defined(__MINGW64__)
 #    include <filesystem>
 #endif
+#include <limits>
 #include <queue>
 
 #include "decoder_proto.hpp"
 #include "framework.pb.h"
 #include "input_model.hpp"
 #include "openvino/core/log_util.hpp"
+#include "openvino/core/memory_util.hpp"
 #include "openvino/frontend/paddle/node_context.hpp"
 #include "openvino/opsets/opset7.hpp"
 #include "openvino/util/common_util.hpp"
@@ -160,8 +162,29 @@ void InputModel::InputModelImpl::load_places() {
 
 namespace {
 bool read_tensor(std::istream& is, char* data, size_t len) {
-    is.read(data, len);
-    return (size_t)is.gcount() == len;
+    if (len == 0) {
+        return true;
+    }
+    if (len > static_cast<size_t>(std::numeric_limits<std::streamsize>::max())) {
+        return false;
+    }
+    is.read(data, static_cast<std::streamsize>(len));
+    return is && (size_t)is.gcount() == len;
+}
+
+constexpr size_t kMaxTensorDescSize = 64 * 1024 * 1024;
+
+template <typename DimsT>
+ov::Shape make_shape_checked(const DimsT& dims) {
+    ov::Shape shape;
+    shape.reserve(dims.size());
+    for (const auto& dim : dims) {
+        FRONT_END_GENERAL_CHECK(dim >= 0, "Negative dimension in Paddle weight tensor.");
+        FRONT_END_GENERAL_CHECK(static_cast<unsigned long long>(dim) <= std::numeric_limits<size_t>::max(),
+                                "Dimension is too large for size_t in Paddle weight tensor.");
+        shape.push_back(static_cast<size_t>(dim));
+    }
+    return shape;
 }
 
 template <typename T>
@@ -288,10 +311,11 @@ void InputModel::InputModelImpl::load_consts(const std::basic_string<T>& folder_
 
         FRONT_END_GENERAL_CHECK(var_desc.type().type() == ::paddle::framework::proto::VarType::LOD_TENSOR);
         const auto& tensor = var_desc.type().lod_tensor().tensor();
-        Shape shape(tensor.dims().cbegin(), tensor.dims().cend());
+        Shape shape = make_shape_checked(tensor.dims());
         const auto& type = get_ov_type(tensor.data_type());
-        const auto& data_length = shape_size(shape) * type.size();
-        std::vector<uint8_t> tensor_data(data_length);
+        auto data_length = ov::util::get_memory_size_safe(type, shape);
+        FRONT_END_GENERAL_CHECK(data_length, "Weight tensor size overflow for constant ", name, ".");
+        std::vector<uint8_t> tensor_data(*data_length);
 
         bool read_succeed = false;
         if (!folder_with_weights.empty()) {
@@ -304,21 +328,28 @@ void InputModel::InputModelImpl::load_consts(const std::basic_string<T>& folder_
             FRONT_END_GENERAL_CHECK(is && is.is_open(), "Cannot open file for constant value.");
             const size_t header_size = 16;
             std::vector<char> header(header_size);
-            is.read(&header[0], header_size);
+            FRONT_END_GENERAL_CHECK(is.read(&header[0], header_size), "Failed to read constant header for ", name, ".");
 
             uint32_t dims_len = 0;
-            is.read(reinterpret_cast<char*>(&dims_len), 4);
+            FRONT_END_GENERAL_CHECK(is.read(reinterpret_cast<char*>(&dims_len), sizeof(dims_len)),
+                                    "Failed to read dims length for ",
+                                    name,
+                                    ".");
+            FRONT_END_GENERAL_CHECK(dims_len <= kMaxTensorDescSize, "Dims struct size too large for ", name, ".");
             std::vector<char> dims_struct(dims_len);
-            is.read(&dims_struct[0], dims_len);
-            read_succeed = read_tensor(is, reinterpret_cast<char*>(&tensor_data[0]), data_length);
+            FRONT_END_GENERAL_CHECK(is.read(dims_struct.data(), dims_len),
+                                    "Failed to read dims struct for ",
+                                    name,
+                                    ".");
+            read_succeed = read_tensor(is, reinterpret_cast<char*>(tensor_data.data()), *data_length);
         } else {
             FRONT_END_GENERAL_CHECK(false, "Folder with weights must be provided.");
         }
         FRONT_END_GENERAL_CHECK(read_succeed,
                                 "File containing constant with name ",
                                 name,
                                 " wasn't successfully read.");
-        auto const_node = opset7::Constant::create(type, shape, &tensor_data[0]);
+        auto const_node = opset7::Constant::create(type, shape, tensor_data.data());
         const_node->set_friendly_name(name);
         m_tensor_values[name] = const_node;
     }
@@ -353,30 +384,47 @@ void InputModel::InputModelImpl::load_consts(std::istream* weight_stream) {
         {
             const size_t header_size = 16;
             std::vector<char> header(header_size);
-            weight_stream->read(&header[0], header_size);
+            FRONT_END_GENERAL_CHECK(weight_stream->read(&header[0], header_size),
+                                    "Failed to read weight header for ",
+                                    name,
+                                    ".");
         }
 
         int32_t size;
-        weight_stream->read(reinterpret_cast<char*>(&size), sizeof(size));
+        FRONT_END_GENERAL_CHECK(weight_stream->read(reinterpret_cast<char*>(&size), sizeof(size)),
+                                "Failed to read TensorDesc size for ",
+                                name,
+                                ".");
+        FRONT_END_GENERAL_CHECK(size > 0 && static_cast<size_t>(size) <= kMaxTensorDescSize,
+                                "TensorDesc size is invalid for ",
+                                name,
+                                ".");
 
-        std::unique_ptr<char[]> buf(new char[size]);
-        weight_stream->read(reinterpret_cast<char*>(buf.get()), size);
+        std::vector<char> buf(static_cast<size_t>(size));
+        FRONT_END_GENERAL_CHECK(weight_stream->read(buf.data(), size),
+                                "Failed to read TensorDesc data for ",
+                                name,
+                                ".");
 
         std::unique_ptr<::paddle::framework::proto::VarType_TensorDesc> tensor_desc(
             new ::paddle::framework::proto::VarType_TensorDesc());
-        tensor_desc->ParseFromArray(buf.get(), size);
-        Shape shape(tensor_desc->dims().cbegin(), tensor_desc->dims().cend());
+        FRONT_END_GENERAL_CHECK(tensor_desc->ParseFromArray(buf.data(), size),
+                                "Failed to parse TensorDesc for ",
+                                name,
+                                ".");
+        Shape shape = make_shape_checked(tensor_desc->dims());
         const auto& type = get_ov_type(tensor_desc->data_type());
-        const auto& data_length = shape_size(shape) * type.size();
-        std::vector<uint8_t> tensor_data(data_length);
+        auto data_length = ov::util::get_memory_size_safe(type, shape);
+        FRONT_END_GENERAL_CHECK(data_length, "Weight tensor size overflow for constant ", name, ".");
+        std::vector<uint8_t> tensor_data(*data_length);
 
-        bool read_succeed = read_tensor(*weight_stream, reinterpret_cast<char*>(&tensor_data[0]), data_length);
+        bool read_succeed = read_tensor(*weight_stream, reinterpret_cast<char*>(tensor_data.data()), *data_length);
         FRONT_END_GENERAL_CHECK(read_succeed,
                                 "File containing constant with name ",
                                 name,
                                 " wasn't successfully read.");
 
-        auto const_node = opset7::Constant::create(type, shape, &tensor_data[0]);
+        auto const_node = opset7::Constant::create(type, shape, tensor_data.data());
         const_node->set_friendly_name(name);
         m_tensor_values[name] = const_node;
     }
diff --git a/src/frontends/paddle/tests/read_paddle_model_test.cpp b/src/frontends/paddle/tests/read_paddle_model_test.cpp
@@ -5,18 +5,67 @@
 #include <gtest/gtest.h>
 
 #include <fstream>
+#include <limits>
 #include <openvino/util/file_util.hpp>
 #include <set>
+#include <sstream>
 #include <string>
+#include <vector>
 
 #include "common_test_utils/ov_test_utils.hpp"
 #include "common_test_utils/unicode_utils.hpp"
 #include "frontend/shared/include/utils.hpp"
+#include "openvino/frontend/manager.hpp"
 #include "openvino/openvino.hpp"
 #include "openvino/opsets/opset1.hpp"
 #include "openvino/opsets/opset8.hpp"
 #include "openvino/pass/serialize.hpp"
 
+namespace {
+void append_varint(std::string& out, uint64_t value) {
+    while (value > 0x7F) {
+        out.push_back(static_cast<char>((value & 0x7F) | 0x80));
+        value >>= 7;
+    }
+    out.push_back(static_cast<char>(value));
+}
+
+void append_key(std::string& out, uint32_t field_number, uint8_t wire_type) {
+    append_varint(out, (static_cast<uint64_t>(field_number) << 3) | wire_type);
+}
+
+std::string make_tensor_desc_bytes(const std::vector<int64_t>& dims, int32_t data_type) {
+    std::string out;
+    append_key(out, 1, 0);
+    append_varint(out, static_cast<uint64_t>(data_type));
+    for (const auto& dim : dims) {
+        append_key(out, 2, 0);
+        append_varint(out, static_cast<uint64_t>(dim));
+    }
+    return out;
+}
+
+std::string make_weights_with_tensor_desc(const std::string& desc_bytes) {
+    std::string out;
+    out.reserve(16 + sizeof(int32_t) + desc_bytes.size());
+    out.append(16, '\0');
+    int32_t desc_size = static_cast<int32_t>(desc_bytes.size());
+    out.append(reinterpret_cast<const char*>(&desc_size), sizeof(desc_size));
+    out.append(desc_bytes);
+    return out;
+}
+
+std::string make_invalid_weights_with_bad_desc_size() {
+    constexpr int32_t kMaxTensorDescSize = 64 * 1024 * 1024;
+    std::string out;
+    out.reserve(16 + sizeof(int32_t));
+    out.append(16, '\0');
+    int32_t desc_size = kMaxTensorDescSize + 1;
+    out.append(reinterpret_cast<const char*>(&desc_size), sizeof(desc_size));
+    return out;
+}
+}  // namespace
+
 TEST(Paddle_Reader_Tests, LoadModelMemoryToCore) {
     auto model = FrontEndTestUtils::make_model_path(std::string(TEST_PADDLE_MODELS_DIRNAME) +
                                                     "conv2d_relu/conv2d_relu" + std::string(TEST_PADDLE_MODEL_EXT));
@@ -132,6 +181,101 @@ TEST(Paddle_Reader_Tests, ImportBasicModelToCore) {
     ASSERT_TRUE(res.valid) << res.message;
 }
 
+TEST(Paddle_Reader_Tests, LoadModelWithInvalidTensorDescSize) {
+    auto model_path = FrontEndTestUtils::make_model_path(
+        std::string(TEST_PADDLE_MODELS_DIRNAME) + "conv2d_relu/conv2d_relu" + std::string(TEST_PADDLE_MODEL_EXT));
+
+    std::ifstream model_ifs(model_path, std::ios::in | std::ios::binary);
+    ASSERT_TRUE(model_ifs.is_open()) << "Cannot open model file: " << model_path;
+
+    const auto weights_bytes = make_invalid_weights_with_bad_desc_size();
+    std::istringstream weights_is(weights_bytes, std::ios::in | std::ios::binary);
+
+    auto fem = ov::frontend::FrontEndManager();
+    std::istream* model_stream = &model_ifs;
+    std::istream* weights_stream = &weights_is;
+    auto fe = fem.load_by_model(model_stream, weights_stream);
+    ASSERT_NE(fe, nullptr);
+
+    model_ifs.clear();
+    model_ifs.seekg(0, std::ios::beg);
+    weights_is.clear();
+    weights_is.seekg(0, std::ios::beg);
+
+    try {
+        fe->load(model_stream, weights_stream);
+        FAIL() << "Expected load to fail due to invalid TensorDesc size";
+    } catch (const std::exception& ex) {
+        const std::string msg = ex.what();
+        ASSERT_NE(msg.find("TensorDesc size is invalid"), std::string::npos) << msg;
+    }
+}
+
+TEST(Paddle_Reader_Tests, LoadModelWithNegativeDimInTensorDesc) {
+    auto model_path = FrontEndTestUtils::make_model_path(
+        std::string(TEST_PADDLE_MODELS_DIRNAME) + "conv2d_relu/conv2d_relu" + std::string(TEST_PADDLE_MODEL_EXT));
+
+    std::ifstream model_ifs(model_path, std::ios::in | std::ios::binary);
+    ASSERT_TRUE(model_ifs.is_open()) << "Cannot open model file: " << model_path;
+
+    const auto desc_bytes = make_tensor_desc_bytes({-1}, 5);
+    const auto weights_bytes = make_weights_with_tensor_desc(desc_bytes);
+    std::istringstream weights_is(weights_bytes, std::ios::in | std::ios::binary);
+
+    auto fem = ov::frontend::FrontEndManager();
+    std::istream* model_stream = &model_ifs;
+    std::istream* weights_stream = &weights_is;
+    auto fe = fem.load_by_model(model_stream, weights_stream);
+    ASSERT_NE(fe, nullptr);
+
+    model_ifs.clear();
+    model_ifs.seekg(0, std::ios::beg);
+    weights_is.clear();
+    weights_is.seekg(0, std::ios::beg);
+
+    try {
+        fe->load(model_stream, weights_stream);
+        FAIL() << "Expected load to fail due to negative dimension";
+    } catch (const std::exception& ex) {
+        const std::string msg = ex.what();
+        ASSERT_NE(msg.find("Negative dimension in Paddle weight tensor"), std::string::npos) << msg;
+    }
+}
+
+TEST(Paddle_Reader_Tests, LoadModelWithOverflowingTensorSize) {
+    auto model_path = FrontEndTestUtils::make_model_path(
+        std::string(TEST_PADDLE_MODELS_DIRNAME) + "conv2d_relu/conv2d_relu" + std::string(TEST_PADDLE_MODEL_EXT));
+
+    std::ifstream model_ifs(model_path, std::ios::in | std::ios::binary);
+    ASSERT_TRUE(model_ifs.is_open()) << "Cannot open model file: " << model_path;
+
+    const auto desc_bytes = make_tensor_desc_bytes({std::numeric_limits<int64_t>::max(), 2}, 5);
+    const auto weights_bytes = make_weights_with_tensor_desc(desc_bytes);
+    std::istringstream weights_is(weights_bytes, std::ios::in | std::ios::binary);
+
+    auto fem = ov::frontend::FrontEndManager();
+    std::istream* model_stream = &model_ifs;
+    std::istream* weights_stream = &weights_is;
+    auto fe = fem.load_by_model(model_stream, weights_stream);
+    ASSERT_NE(fe, nullptr);
+
+    model_ifs.clear();
+    model_ifs.seekg(0, std::ios::beg);
+    weights_is.clear();
+    weights_is.seekg(0, std::ios::beg);
+
+    try {
+        fe->load(model_stream, weights_stream);
+        FAIL() << "Expected load to fail due to overflowing tensor size";
+    } catch (const std::exception& ex) {
+        const std::string msg = ex.what();
+        const bool has_weight_overflow = msg.find("Weight tensor size overflow for constant") != std::string::npos;
+        const bool has_dim_overflow =
+            msg.find("Dimension is too large for size_t in Paddle weight tensor.") != std::string::npos;
+        ASSERT_TRUE(has_weight_overflow || has_dim_overflow) << msg;
+    }
+}
+
 #if defined(OPENVINO_ENABLE_UNICODE_PATH_SUPPORT) && defined(_WIN32)
 TEST(Paddle_Reader_Tests, ImportBasicModelToCoreWstring) {
     std::string win_dir_path{TEST_PADDLE_MODELS_DIRNAME "relu/relu" + std::string(TEST_PADDLE_MODEL_EXT)};
