From 02e2158e754bafda46e663052c838aeb6ab6b560 Mon Sep 17 00:00:00 2001
From: Andrew Calvano <calvano@meta.com>
Date: Thu, 28 Dec 2023 22:09:03 +0000
Subject: [PATCH] Fix for out of bounds read in mobile interpreter
 INTERFACE_CALL opcode handler (#110301)

Summary:
The INTERFACE_CALL opcode for the mobile TorchScript interpreter contained an out of bounds read issue leading to memory corruption.

This change adds an explicit check that the number of inputs passed to the format method called when handling the INTERFACE_CALL opcode is a valid and within bounds of the stack.

Test Plan: contbuild + OSS signals

Differential Revision: D49739450

Pull Request resolved: https://github.com/pytorch/pytorch/pull/110301
Approved by: https://github.com/dbort
---
 torch/csrc/jit/mobile/interpreter.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp
index 2d112034971..5fa90dbecdb 100644
--- a/torch/csrc/jit/mobile/interpreter.cpp
+++ b/torch/csrc/jit/mobile/interpreter.cpp
@@ -159,6 +159,15 @@ bool InterpreterState::run(Stack& stack) {
               static_cast<size_t>(inst.X) >= code.constants_.size()) {
             TORCH_CHECK(false, "Can't load constant with index: ", inst.X);
           }
+          if (inst.N == 0 || inst.N > stack.size()) {
+            TORCH_CHECK(
+                false,
+                "INTERFACE_CALL N=",
+                inst.N,
+                " not in range [1, ",
+                stack.size(),
+                "]");
+          }
           torch::jit::Function& method =
               peek(stack, 0, inst.N)
                   .toObject()