Fix for out of bounds read in mobile interpreter INTERFACE_CALL opcode handler (#110301)

Summary: The INTERFACE_CALL opcode for the mobile TorchScript interpreter contained an out of bounds read issue leading to memory corruption. This change adds an explicit check that the number of inputs passed to the format method called when handling the INTERFACE_CALL opcode is a valid and within bounds of the stack. Test Plan: contbuild + OSS signals Differential Revision: D49739450 Pull Request resolved: https://github.com/pytorch/pytorch/pull/110301 Approved by: https://github.com/dbort
2026-05-14 20:57:59 +00:00 · 2023-12-28 22:09:03 +00:00 · 2023-12-28 22:09:03 +00:00 · 02e2158e75
commit 02e2158e75
parent 7e12e722af
1 changed files with 9 additions and 0 deletions
--- a/torch/csrc/jit/mobile/interpreter.cpp
+++ b/torch/csrc/jit/mobile/interpreter.cpp
@ -159,6 +159,15 @@ bool InterpreterState::run(Stack& stack) {
              static_cast<size_t>(inst.X) >= code.constants_.size()) {
            TORCH_CHECK(false, "Can't load constant with index: ", inst.X);
          }
+          if (inst.N == 0 || inst.N > stack.size()) {
+            TORCH_CHECK(
+                false,
+                "INTERFACE_CALL N=",
+                inst.N,
+                " not in range [1, ",
+                stack.size(),
+                "]");
+          }
          torch::jit::Function& method =
              peek(stack, 0, inst.N)
                  .toObject()