fix: two memcpy calls in kquant_helpers in kquant_helpers.h#15
Open
orbisai0security wants to merge 1 commit into
Open
fix: two memcpy calls in kquant_helpers in kquant_helpers.h#15orbisai0security wants to merge 1 commit into
orbisai0security wants to merge 1 commit into
Conversation
Automated security fix generated by Orbis Security AI
k0zi
reviewed
May 15, 2026
| static inline void bn_q3k_unpack_scales(const uint8_t *scales, uint8_t *out) { | ||
| uint32_t aux[4]; | ||
| memcpy(aux, scales, 12); | ||
| memcpy(aux, scales, 3 * sizeof(uint32_t)); |
There was a problem hiding this comment.
aux[4] is size of 4. I understand that 3 is derived from 12 but isn't it better use 4*sizeof?
Author
There was a problem hiding this comment.
I think 3 * sizeof(uint32_t) is intentional rather than 4 * sizeof(uint32_t): the function copies the 12-byte packed scale representation into aux[0..2], then computes aux[3] from the packed bits before writing the 16-byte unpacked result to out. Changing the first copy to 4 * sizeof(uint32_t) would read 16 bytes from scales, which may be incorrect if the caller provides the expected 12-byte packed buffer.
k0zi
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix critical severity security issue in
include/kquant_helpers.h.Vulnerability
V-001include/kquant_helpers.h:20Description: Two memcpy calls in kquant_helpers.h use hardcoded byte counts (12 and 16) without verifying that the destination buffers 'aux' and 'out' are at least that large. If the destination buffers are declared smaller than the hardcoded sizes due to a type mismatch or caller error, or if the source 'scales' buffer is smaller than 12 bytes, a heap or stack buffer overflow or out-of-bounds read occurs. These helpers are invoked during quantized model weight processing, meaning a crafted model file can reliably trigger this code path.
Changes
include/kquant_helpers.hVerification
Automated security fix by OrbisAI Security