From 6ffed7323e5f68516939c7edb425f05822be6c13 Mon Sep 17 00:00:00 2001
From: Akarshan Biswas <akarshan.biswas@gmail.com>
Date: Wed, 19 Feb 2025 09:50:32 +0530
Subject: [PATCH] Fix: Prevent Out-of-Bounds Reads in GGUF Parser

---
 engine/config/gguf_parser.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/engine/config/gguf_parser.cc b/engine/config/gguf_parser.cc
index acd2b9c76..c97c79c30 100644
--- a/engine/config/gguf_parser.cc
+++ b/engine/config/gguf_parser.cc
@@ -104,6 +104,10 @@ std::pair<std::size_t, std::string> GGUFHandler::ReadString(
   uint64_t length;
   std::memcpy(&length, data_ + offset, sizeof(uint64_t));
 
+  if (offset + 8 + length > file_size_) {
+    throw std::runtime_error("GGUF metadata string length exceeds file size.\n");
+  }
+
   std::string value(reinterpret_cast<const char*>(data_ + offset + 8), length);
   return {8 + static_cast<std::size_t>(length), value};
 }
@@ -274,6 +278,9 @@ size_t GGUFHandler::ReadArray(std::size_t offset, const std::string& key) {
     }
 
     array_offset += length;
+    if (offset + array_offset > file_size_) {
+      throw std::runtime_error("GGUF Parser Array exceeded file size.\n");
+    }
   }
   if (array_values_string.size() > 0)
     metadata_array_string_[key] = array_values_string;