YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Arm NN OnnxParser Reshape OOB Write (CWE-787)
Vulnerability
Root cause: OnnxParser.cpp:2332 in ParseReshape() uses std::vector::reserve() instead of resize() when building target shape dimensions from an ONNX model.
reserve() allocates capacity but does NOT change size(), which remains 0. The subsequent loop writes shape values via targetShape[i] โ accessing indices past size() is undefined behavior per the C++ standard, regardless of capacity.
Vulnerable Code
// OnnxParser.cpp:2328-2338
std::vector<unsigned int> targetShape; // size = 0
targetShape.reserve(dims); // capacity = dims, size STILL 0!
for(uint i = 0; i < dims; i++)
{
targetShape[i] = static_cast<unsigned int>(val); // OOB WRITE!
}
Two Distinct Issues
- OOB Write (UB) โ writing to unconstructed elements past
size() - Wrong TensorShape โ at line 2379,
targetShape.size()is still 0, constructing a 0-dimension TensorShape regardless of actual model shape
Impact
- CWE-787 (Out-of-bounds Write)
- CVSS 7.5 (High)
- Affects any ONNX model with Reshape operations (nearly all models)
- Deployed on millions of embedded/mobile devices
Fix
- targetShape.reserve(dims);
+ targetShape.resize(dims);
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support