YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Arm NN GetNumElements() Integer Overflow (CWE-190)
Vulnerability
Root cause: TensorShape::GetNumElements() in src/armnn/Tensor.cpp:190-197 multiplies tensor dimensions using unsigned int without overflow checking.
When a crafted model provides large dimensions whose product overflows 32-bit unsigned, GetNumElements() returns 0. This propagates to GetNumBytes() (line 429), which is used for ALL buffer allocation and validation. The buffer size check at TfLiteParser.cpp:270-271 compares against the overflowed value (0 > N = false), so validation silently passes.
Affects ALL model formats: .tflite, .onnx, .armnn (native)
Vulnerable Code
// Tensor.cpp:190-197
unsigned int count = 1;
for (unsigned int i = 0; i < m_NumDimensions; ++i)
{
if (m_DimensionsSpecificity[i])
{
count *= m_Dimensions[i]; // NO OVERFLOW CHECK
}
}
Additional Finding
OnnxParser.cpp:2332 uses reserve() instead of resize(), then accesses elements by index (UB/OOB write).
Impact
- CWE-190 (Integer Overflow) + CWE-122 (Heap Buffer Overflow)
- CVSS 8.8 (Critical)
- Deployed on millions of embedded/mobile devices
- 30+ affected code paths across all parsers
numeric_castoverflow checks disabled in release builds (NDEBUG)