onnxruntime

a208df8a - Use SafeInt for size arithmetic in CPU tensor operators to prevent overflow (#28060)

Use SafeInt for size arithmetic in CPU tensor operators to prevent overflow (#28060) ### Description Replace unchecked `int64_t` size/offset arithmetic with `SafeInt<size_t>` across several CPU operator implementations to prevent silent integer overflow when computing buffer offsets and allocation sizes. All changed expressions compute non-negative element counts or byte offsets used in pointer arithmetic, `memset`, `std::copy_n`, `std::fill_n`, or allocator calls. On models with large tensor dimensions the intermediate products (e.g., `N * C * H * W`) can overflow `int64_t` before the result is used. Wrapping the leading factor in `SafeInt<size_t>()` ensures every intermediate multiplication is overflow-checked and produces a `size_t` result. ### Motivation and Context Integer overflow in size calculations can lead to undersized allocations, out-of-bounds memory access, or incorrect pointer offsets — all of which are security-sensitive. This change hardens the affected code paths against such overflow. ### Key Changes | File | Change | |---|---| | `core/providers/cpu/tensor/grid_sample.cc` | Wrap grid/input/output offset computations with `SafeInt<size_t>`, chain all factors through SafeInt instead of parenthesized sub-expressions | | `core/providers/cpu/tensor/affine_grid.cc` | Wrap batch offset and Eigen map size computations with `SafeInt<size_t>` | | `core/providers/cpu/tensor/upsample_antialias.h` | Replace `narrow<size_t>(a * b)` and `static_cast<size_t>(a * b)` with `SafeInt<size_t>(a) * b` for temp buffer sizes, span extents, and copy counts | | `core/providers/cpu/nn/tfidfvectorizer.cc` | Wrap `memset` byte-count computation with `SafeInt` | | `core/providers/cpu/quantization/qlinearconv.cc` | Wrap `Alloc()` / `MakeUniquePtr` size computation with `SafeInt` | | `core/providers/cpu/quantization/quantize_linear.cc` | Wrap sub-byte quantization total-size computation with `SafeInt` | | `core/providers/cpu/sequence/sequence_ops.cc` | Wrap `SplitToSequence` offset and copy-count computations with `SafeInt` | ### Testing Existing unit tests cover the functional behavior of all affected operators. The change is purely defensive — it makes previously unchecked arithmetic throw on overflow instead of silently wrapping, with no change to behavior for in-range inputs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>