[c++] Add bounds check in StringToArrayFast() to prevent heap buffer over-read#6998
[c++] Add bounds check in StringToArrayFast() to prevent heap buffer over-read#6998sanjay20m wants to merge 5 commits into
Conversation
…ffer over-read This patch fixes a heap buffer over-read vulnerability in the C++ core of LightGBM. The `StringToArrayFast()` function did not check if the parser had reached the end of the string before reading the next array element.
jameslamb
left a comment
There was a problem hiding this comment.
Thanks for your interest in LightGBM.
How did you discover this? How can we test it? Can you share a normal model file and one modified in the way you say this protects against, so we can understand what's being proposed here?
|
Hi @jameslamb How to reproduce
This demonstrates that the change prevents a possible heap buffer over-read when loading malformed model files. |
|
Hello @jameslamb , Can u take some time to review! |
This comment was marked as spam.
This comment was marked as spam.
|
Hi @jameslamb Following up on this! To make testing this easier, I have attached a
If you load Could you take another look when you have a moment? Let me know if you need any other details! |
|
Thank you for your continued interest. Sorry but I'm not opening a You will have to be patient and wait for someone to review this. |
|
Hey @jameslamb Fair point on the .zip file, my bad. If you or anyone on the team wants to verify this locally without downloading an archive, here is the minimal script to generate the 1-tree model: import lightgbm as lgb To test the heap over-read on master, just change num_leaves=3 to num_leaves=20 in the resulting text file and try to load it. Also, this exact patch was already validated and merged into the ExaBoost fork by @BelixRogner (commit 9c7c4cb), confirming it hardens the parsing. Let me know if you need anything else to move this forward. |
|
Being merved into that unaffiliated fork does not provide any evidence that this patch is appropriate for LightGBM. When someone reviews, we will alaso be looking at the impact on portability and performance. |
|
Understood, that makes total sense. I will be waiting for the maintainers' review. Let me know if you need anything else from me when the time comes! |
Summary
This PR fixes a memory safety issue in
StringToArrayFast()where the parsercould read past the end of the model string when the declared array size was
larger than the available data.
Vulnerability
An attacker could create a malicious LightGBM text model file with:
This mismatch would cause the parser to read beyond the allocated buffer,
triggering undefined behavior. This can result in:
Fix
Security Impact
This hardens the model loading path against malicious or corrupted model files.
The patch does not change public APIs or intended parsing behavior.