Validate coefficients size in LinearRegressor to prevent OOB read
LinearRegressor treats the coefficients attribute as a [num_targets,
num_features] matrix and passes it directly to MLAS SGEMM. However,
num_features is derived from the input tensor at runtime, and no
validation ensured coefficients.size() == num_targets * num_features.
A malformed model could provide fewer coefficients than expected,
causing MlasSgemmTransposePackB to read past the buffer boundary.
Add a size check after num_features is computed but before the GEMM
dispatch to reject mismatched coefficients with a clear error message.
Files changed:
- onnxruntime/core/providers/cpu/ml/linearregressor.cc
- onnxruntime/test/providers/cpu/ml/linearregressor_test.cc
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
onnxruntime
f2b60a1b - Validate coefficients size in LinearRegressor to prevent OOB read
