onnxruntime
2603ef50 - Harden CropAndResize against malformed crop_size tensors (#28766)

Commit
32 days ago
Harden CropAndResize against malformed crop_size tensors (#28766) ## Description This PR closes a validation gap in the Microsoft CropAndResize contrib op by rejecting malformed `crop_size` tensors before runtime can read past the end of the array. The fix improves safety for invalid models and preserves existing behavior for valid inputs. ## Summary of Changes ### Validation and safety | File | Change | |------|--------| | `onnxruntime/contrib_ops/cpu/crop_and_resize.cc` | Added explicit runtime validation to ensure `crop_size` is a 1-D tensor with exactly 2 elements before indexing `crop_size_data[1]`. | | `onnxruntime/core/graph/contrib_ops/contrib_defs.cc` | Added shape-inference validation so malformed `crop_size` shapes are rejected during model resolution when the size is known. | ### Regression coverage - Added provider-test coverage in `onnxruntime/test/contrib_ops/crop_and_resize_op_test.cc` for malformed `crop_size` inputs of length 1 and 3, confirming they fail validation instead of reaching the runtime path. ## Testing Verified locally with: - `cmake --build build/Linux/Release --target onnxruntime_provider_test -j2` - `cd build/Linux/Release && ./onnxruntime_provider_test --gtest_filter='CropAndResizeTest.*'` Result: 5 tests ran, 5 passed. ## Motivation and Context The root cause was that the runtime path only checked the rank of `crop_size`, not its element count. A rank-1 tensor with fewer than 2 elements could still reach `crop_size_data[1]`, which created an out-of-bounds read path and exposed adjacent heap bytes. This fix addresses both runtime execution and model-loading/shape-inference validation to close the vulnerability path end to end. ## Checklist - [x] Tests added/updated - [x] No breaking changes - [x] CI passes (verified locally via provider test suite)
Author
Parents
Loading