Skip to content

Commit

Permalink
Prevent snprintf vulnerability
Browse files Browse the repository at this point in the history
Summary:
With a very big name for a `ParameterRange`, the `snprintf` call from `combination_name` can end up having a negative second parameter, causing  a memory overflow, which can lead to a serious security issue.

We can checking that the second parameter is always >= 0 and throw an exception if not.

See the new GTEST.

Reviewed By: mdouze

Differential Revision: D46856956

fbshipit-source-id: 91c657ec028c462d4b808b595811342034e00133
  • Loading branch information
OctavianGuzu authored and facebook-github-bot committed Jun 23, 2023
1 parent 8ac4e41 commit 9126f86
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions faiss/AutoTune.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,8 @@ std::string ParameterSpace::combination_name(size_t cno) const {
char buf[1000], *wp = buf;
*wp = 0;
for (int i = 0; i < parameter_ranges.size(); i++) {
FAISS_THROW_IF_NOT_MSG(
buf + 1000 - wp >= 0, "Overflow detected in snprintf");
const ParameterRange& pr = parameter_ranges[i];
size_t j = cno % pr.values.size();
cno /= pr.values.size();
Expand Down

0 comments on commit 9126f86

Please sign in to comment.