[PR #15846] ggml: check for overflow when computing tensor byte strides #62023

Open
opened 2026-04-29 16:58:51 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/ollama/ollama/pull/15846
Author: @kylejryan
Created: 4/27/2026
Status: 🔄 Open

Base: mainHead: gguf-stride-overflow-fix


📝 Commits (1)

  • b035abd ggml: check for overflow when computing tensor byte strides

📊 Changes

1 file changed (+9 additions, -3 deletions)

View changed files

📝 ml/backend/ggml/ggml/src/gguf.cpp (+9 -3)

📄 Description

gguf_init_from_file_impl validates that the product of ne[0..3] fits in
int64_t, but the subsequent byte-stride math
(nb[1] = type_size * ne[0]/blck_size and nb[j] = nb[j-1] * ne[j-1])
carries an additional factor of type_size that the upstream check does
not cover. For large ne[0], nb[1] (and the downstream strides) wraps
past SIZE_MAX, so ggml_nbytes() under-reports the tensor and the
allocation that later receives its data is sized against a truncated
stride rather than the shape stored in the header.

Guard each multiplication with the same SIZE_MAX/factor pattern already
used a few lines below for accumulating ctx->size, and surface a parse
error naming the offending dimension. Well-formed shapes hit the same
arithmetic path as before.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/ollama/ollama/pull/15846 **Author:** [@kylejryan](https://github.com/kylejryan) **Created:** 4/27/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `gguf-stride-overflow-fix` --- ### 📝 Commits (1) - [`b035abd`](https://github.com/ollama/ollama/commit/b035abd681a929d3001d98623c23ca085a386479) ggml: check for overflow when computing tensor byte strides ### 📊 Changes **1 file changed** (+9 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `ml/backend/ggml/ggml/src/gguf.cpp` (+9 -3) </details> ### 📄 Description gguf_init_from_file_impl validates that the product of ne[0..3] fits in int64_t, but the subsequent byte-stride math (nb[1] = type_size * ne[0]/blck_size and nb[j] = nb[j-1] * ne[j-1]) carries an additional factor of type_size that the upstream check does not cover. For large ne[0], nb[1] (and the downstream strides) wraps past SIZE_MAX, so ggml_nbytes() under-reports the tensor and the allocation that later receives its data is sized against a truncated stride rather than the shape stored in the header. Guard each multiplication with the same SIZE_MAX/factor pattern already used a few lines below for accumulating ctx->size, and surface a parse error naming the offending dimension. Well-formed shapes hit the same arithmetic path as before. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-29 16:58:51 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/ollama#62023