Prevent signed integer overflow in pixel_shuffle size calculation#16138
Merged
GregoryComer merged 1 commit intopytorch:mainfrom Dec 9, 2025
Merged
Prevent signed integer overflow in pixel_shuffle size calculation#16138GregoryComer merged 1 commit intopytorch:mainfrom
GregoryComer merged 1 commit intopytorch:mainfrom
Conversation
🔗 Helpful Links🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/16138
Note: Links to docs will display an error until the docs builds have been completed. ✅ You can merge normally! (1 Unrelated Failure)As of commit e879e0a with merge base 04f1e4d ( UNSTABLE - The following job is marked as unstable, possibly due to flakiness on trunk:
This comment was automatically generated by Dr. CI and updates every 15 minutes. |
Contributor
|
@GregoryComer has exported this pull request. If you are a Meta employee, you can view the originating Diff in D88693324. |
JacobSzwejbka
approved these changes
Dec 9, 2025
GregoryComer
added a commit
to GregoryComer/executorch
that referenced
this pull request
Dec 9, 2025
…torch#16138) Summary: The size calculation in `get_pixel_shuffle_out_target_size` can trigger signed integer overflow (UB) with very large upscale_factors. This manifested as an integer division by zero fault during fuzzing. Specifically, the calculation of `upscale_factor * upscale_factor` ([source](https://github.com/pytorch/executorch/blob/04f1e4d22383ffcbc770acf5002348e3f95082a2/kernels/portable/cpu/util/copy_ops_util.cpp#L364)) can overflow. In the motivating case, SizesType is a signed 32-bit integer and upscale_factor = 2^17. Since this is an impractically large upscale factor, I'm just adding a constraint that upscale_factor < 32768 (2^15). In theory, SizesType could be defined as less than 32 bits, but this seems unlikely in practice. Differential Revision: D88693324
ae8b60a to
d42a11c
Compare
…torch#16138) Summary: The size calculation in `get_pixel_shuffle_out_target_size` can trigger signed integer overflow (UB) with very large upscale_factors. This manifested as an integer division by zero fault during fuzzing. Specifically, the calculation of `upscale_factor * upscale_factor` ([source](https://github.com/pytorch/executorch/blob/04f1e4d22383ffcbc770acf5002348e3f95082a2/kernels/portable/cpu/util/copy_ops_util.cpp#L364)) can overflow. In the motivating case, SizesType is a signed 32-bit integer and upscale_factor = 2^17. Since this is an impractically large upscale factor, I'm just adding a constraint that upscale_factor < 32768 (2^15). In theory, SizesType could be defined as less than 32 bits, but this seems unlikely in practice. Differential Revision: D88693324
d42a11c to
e879e0a
Compare
Contributor
|
@GregoryComer has imported this pull request. If you are a Meta employee, you can view this in D88693324. |
manuelcandales
approved these changes
Dec 9, 2025
jirioc
pushed a commit
to nxp-upstream/executorch
that referenced
this pull request
Dec 19, 2025
…torch#16138) Summary: The size calculation in `get_pixel_shuffle_out_target_size` can trigger signed integer overflow (UB) with very large upscale_factors. This manifested as an integer division by zero fault during fuzzing. Specifically, the calculation of `upscale_factor * upscale_factor` ([source](https://github.com/pytorch/executorch/blob/04f1e4d22383ffcbc770acf5002348e3f95082a2/kernels/portable/cpu/util/copy_ops_util.cpp#L364)) can overflow. In the motivating case, SizesType is a signed 32-bit integer and upscale_factor = 2^17. Since this is an impractically large upscale factor, I'm just adding a constraint that upscale_factor < 32768 (2^15). In theory, SizesType could be defined as less than 32 bits, but this seems unlikely in practice. I check this upper bound in `check_pixel_shuffle_args` and also assert in `get_pixel_shuffle_out_target_size` to ensure we don't hit UB. Differential Revision: D88693324
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
The size calculation in
get_pixel_shuffle_out_target_sizecan trigger signed integer overflow (UB) with very large upscale_factors. This manifested as an integer division by zero fault during fuzzing.Specifically, the calculation of
upscale_factor * upscale_factor(source) can overflow. In the motivating case, SizesType is a signed 32-bit integer and upscale_factor = 2^17.Since this is an impractically large upscale factor, I'm just adding a constraint that upscale_factor < 32768 (2^15). In theory, SizesType could be defined as less than 32 bits, but this seems unlikely in practice. I check this upper bound in
check_pixel_shuffle_argsand also assert inget_pixel_shuffle_out_target_sizeto ensure we don't hit UB.Differential Revision: D88693324