SafeTensors Integer Overflow in TensorView::new() PoC

Vulnerability

CWE-190 / CWE-125: Integer overflow in TensorView::new() bypasses size validation.

Root Cause

In safetensors/src/tensor.rs, lines 755-757:

let n_elements: usize = shape.iter().product();  // UNCHECKED - wraps on overflow
let nbits = n_elements * dtype.bitsize();         // UNCHECKED - wraps on overflow

The validate() method (lines 642-650) correctly uses checked_mul via try_fold, but TensorView::new() does not. This inconsistency means any Rust consumer using TensorView::new() directly is vulnerable.

Files

poc_model.safetensors - Valid safetensors file (the file format itself is safe because deserialization uses validate())
overflow_poc.rs - Rust PoC demonstrating the API-level overflow

Impact

Out-of-bounds memory read when sliced_data() is called on a TensorView constructed with crafted shape dimensions that overflow usize. This affects any Rust crate that calls TensorView::new() directly with user-controlled shape values.

Also Affected

SliceIterator::new() in slice.rs:362 uses unchecked span *= shape multiplication.

Fix

let n_elements: usize = shape
    .iter()
    .try_fold(1usize, |acc, &x| acc.checked_mul(x))
    .expect("Shape dimensions overflow usize");

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support