Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 2.2.0
Details
Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.
The fix
Fix for PyTorch mobile flatbuffer loader out of bounds reads
torch/csrc/jit/mobile/flatbuffer_loader.cpp+1 −1
@@ -302,7 +302,7 @@ mobile::Module FlatbufferLoader::parseModule(storage_loaded_.resize(module->storage_data_size(), false);mobile_ivalue_size_ = module_->mobile_ivalue_size();-if (mobile_ivalue_size_ == 0) {+if (mobile_ivalue_size_ == 0 || mobile_ivalue_size_ > ivalues->size()) {mobile_ivalue_size_ = ivalues->size();}