Skip to content

fix: in bindings/ruby/test/jfk_reader/jfk_reader in jfk_reader.c#3756

Open
orbisai0security wants to merge 4 commits intoggml-org:masterfrom
orbisai0security:fix-fix-v-002-integer-overflow-malloc-jfk-reader
Open

fix: in bindings/ruby/test/jfk_reader/jfk_reader in jfk_reader.c#3756
orbisai0security wants to merge 4 commits intoggml-org:masterfrom
orbisai0security:fix-fix-v-002-integer-overflow-malloc-jfk-reader

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented Apr 17, 2026

Summary

Fix critical severity security issue in bindings/ruby/test/jfk_reader/jfk_reader.c.

Vulnerability

Field Value
ID V-002
Severity CRITICAL
Scanner multi_agent_ai
Rule V-002
File bindings/ruby/test/jfk_reader/jfk_reader.c:18
CWE CWE-190

Description: In bindings/ruby/test/jfk_reader/jfk_reader.c at lines 18-19, malloc is called with n_samples * sizeof(float) and n_samples * sizeof(short) without any integer overflow check. If n_samples is attacker-controlled and close to SIZE_MAX/sizeof(float), the multiplication wraps around to a small value, causing malloc to allocate an undersized buffer. Subsequent writes of the full sample data overflow this buffer, corrupting heap memory.

Changes

  • bindings/ruby/test/jfk_reader/jfk_reader.c

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-002 security vulnerability
b000b49 
Automated security fix generated by Orbis Security AI
@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented Apr 17, 2026

Thank you for finding the issue!

Can you use allocator and free functions Ruby provides?

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented Apr 17, 2026

Yes, good call. I can switch this over to Ruby’s alloc/free helpers (e.g. RB_ZALLOC_N/RB_ALLOC_N + xfree, or ruby_xcalloc + ruby_xfree) so we’re not mixing allocators. Let me know which style you prefer, and I’ll update the PR.

@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented Apr 17, 2026

I don't have strong opinion because I'm not familiar with Ruby extension development custom.

@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented Apr 18, 2026

Ah, sorry, I have seen only the diff lines, but I have a question now. Can an attacker control n_samples?

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented Apr 18, 2026

n_samples is not attacker-controlled here. In jfk_reader_get_memory_view(), it’s a local constant (const int n_samples = 176000;), and nothing in the Ruby object or the input file influences it. The only user-controlled value is audio_path. The fix switches to calloc + NULL checks to avoid uninitialized heap use and handle allocation failures; if n_samples ever becomes derived from input in the future, we’d also add explicit bounds checks / overflow-safe size calculations.

@orbisai0security @claude
fix(ruby): use Ruby allocator macros in jfk_reader and fix memory leak
f170d48 
- Replace calloc/free with ALLOC_N/xfree to match Ruby binding conventions
  (ALLOC_N handles overflow checking and raises NoMemoryError on failure)
- Free temporary samples buffer after conversion loop (was leaked)
- Add NULL check for fopen return value with rb_raise
- Add comment clarifying n_samples is a compile-time constant

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented Apr 18, 2026

Thank you for the addressing. One more question: is it allowed to raise an exception in rb_memory_view_get_func_t?

@orbisai0security @claude
fix(ruby): return false instead of rb_raise in memory_view callback
0723001 
rb_memory_view_get_func_t callbacks should communicate errors via
return value (false), not exceptions. rb_memory_view_get has no
exception-handling wrapper around get_func calls.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented Apr 20, 2026

It is allowed but not safe to raise an exception in rb_memory_view_get_func_t. So, I've replaced this with false.

@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented Apr 21, 2026

I found out that ALLOC_N might potentially raise a Ruby exception. Sorry for me saying to use it but it was not appropriate.

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented Apr 22, 2026

I have switched from ALLOC_N to rb_protect. So, can you review again?

@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented Apr 22, 2026

Thank you for a lot of work!

@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented Apr 22, 2026

@ggerganov @danbev
Can you review when you have time? I think it's okay.
This vulnerability should not actually be effective, so you don't need to hurry.
Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danbev danbev danbev approved these changes

+1 more reviewer

@KitaitiMakoto KitaitiMakoto KitaitiMakoto approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@orbisai0security @KitaitiMakoto @danbev