From 8e06f11c38c8168153a0652f8247592862ec627d Mon Sep 17 00:00:00 2001 From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com> Date: Mon, 11 Aug 2025 19:38:40 +0530 Subject: [PATCH] [security] Add bounds check in StringToArrayFast() to prevent heap buffer over-read This patch fixes a heap buffer over-read vulnerability in the C++ core of LightGBM. The `StringToArrayFast()` function did not check if the parser had reached the end of the string before reading the next array element. --- include/LightGBM/utils/common.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/LightGBM/utils/common.h b/include/LightGBM/utils/common.h index 67bc07b0ecd5..55fc9fb7ef1d 100644 --- a/include/LightGBM/utils/common.h +++ b/include/LightGBM/utils/common.h @@ -489,9 +489,14 @@ inline static std::vector StringToArrayFast(const std::string& str, int n) { return std::vector(); } auto p_str = str.c_str(); + auto p_end = p_str + str.size(); __StringToTHelperFast::value> helper; std::vector ret(n); for (int i = 0; i < n; ++i) { + p_str = Common::SkipSpaceAndTab(p_str); + if (p_str >= p_end) { + Log::Fatal("Malformed model file: not enough values in string for array of size %d", n); + } p_str = helper(p_str, &ret[i]); } return ret;