Add input shapes validation to prevent heap overflow in Concat layer

Deepdive543443 · Deepdive543443 · commit e11d0040da9b · 2025-07-28T18:03:15.000+08:00
diff --git a/src/layer/arm/concat_arm.cpp b/src/layer/arm/concat_arm.cpp
@@ -197,10 +197,13 @@ int Concat_arm::forward(const std::vector<Mat>& bottom_blobs, std::vector<Mat>&
         // total channels
         size_t elemsize = bottom_blobs[0].elemsize;
         int elempack = bottom_blobs[0].elempack;
-        int top_channels = 0;
-        for (size_t b = 0; b < bottom_blobs.size(); b++)
+        int top_channels = bottom_blobs[0].c * bottom_blobs[0].elempack;
+        for (size_t b = 1; b < bottom_blobs.size(); b++)
         {
             const Mat& bottom_blob = bottom_blobs[b];
+            if (bottom_blob.w != w || bottom_blob.h != h || bottom_blob.d != d)
+                return -100;
+
             elemsize = std::min(elemsize, bottom_blob.elemsize);
             elempack = std::min(elempack, bottom_blob.elempack);
             top_channels += bottom_blob.c * bottom_blob.elempack;
diff --git a/src/layer/concat.cpp b/src/layer/concat.cpp
@@ -128,10 +128,13 @@ int Concat::forward(const std::vector<Mat>& bottom_blobs, std::vector<Mat>& top_
         int d = bottom_blobs[0].d;
 
         // total channels
-        int top_channels = 0;
-        for (size_t b = 0; b < bottom_blobs.size(); b++)
+        int top_channels = bottom_blobs[0].c;
+        for (size_t b = 1; b < bottom_blobs.size(); b++)
         {
             const Mat& bottom_blob = bottom_blobs[b];
+            if (bottom_blob.w != w || bottom_blob.h != h || bottom_blob.d != d)
+                return -100;
+
             top_channels += bottom_blob.c;
         }
 
diff --git a/src/layer/loongarch/concat_loongarch.cpp b/src/layer/loongarch/concat_loongarch.cpp
@@ -176,10 +176,13 @@ int Concat_loongarch::forward(const std::vector<Mat>& bottom_blobs, std::vector<
         // total channels
         size_t elemsize = bottom_blobs[0].elemsize;
         int elempack = bottom_blobs[0].elempack;
-        int top_channels = 0;
-        for (size_t b = 0; b < bottom_blobs.size(); b++)
+        int top_channels = bottom_blobs[0].c * bottom_blobs[0].elempack;
+        for (size_t b = 1; b < bottom_blobs.size(); b++)
         {
             const Mat& bottom_blob = bottom_blobs[b];
+            if (bottom_blob.w != w || bottom_blob.h != h || bottom_blob.d != d)
+                return -100;
+
             elemsize = std::min(elemsize, bottom_blob.elemsize);
             elempack = std::min(elempack, bottom_blob.elempack);
             top_channels += bottom_blob.c * bottom_blob.elempack;
diff --git a/src/layer/mips/concat_mips.cpp b/src/layer/mips/concat_mips.cpp
@@ -176,10 +176,13 @@ int Concat_mips::forward(const std::vector<Mat>& bottom_blobs, std::vector<Mat>&
         // total channels
         size_t elemsize = bottom_blobs[0].elemsize;
         int elempack = bottom_blobs[0].elempack;
-        int top_channels = 0;
-        for (size_t b = 0; b < bottom_blobs.size(); b++)
+        int top_channels = bottom_blobs[0].c * bottom_blobs[0].elempack;
+        for (size_t b = 1; b < bottom_blobs.size(); b++)
         {
             const Mat& bottom_blob = bottom_blobs[b];
+            if (bottom_blob.w != w || bottom_blob.h != h || bottom_blob.d != d)
+                return -100;
+
             elemsize = std::min(elemsize, bottom_blob.elemsize);
             elempack = std::min(elempack, bottom_blob.elempack);
             top_channels += bottom_blob.c * bottom_blob.elempack;
diff --git a/src/layer/riscv/concat_riscv.cpp b/src/layer/riscv/concat_riscv.cpp
@@ -218,10 +218,13 @@ int Concat_riscv::forward(const std::vector<Mat>& bottom_blobs, std::vector<Mat>
         // total channels
         size_t elemsize = bottom_blobs[0].elemsize;
         int elempack = bottom_blobs[0].elempack;
-        int top_channels = 0;
-        for (size_t b = 0; b < bottom_blobs.size(); b++)
+        int top_channels = bottom_blobs[0].c * bottom_blobs[0].elempack;
+        for (size_t b = 1; b < bottom_blobs.size(); b++)
         {
             const Mat& bottom_blob = bottom_blobs[b];
+            if (bottom_blob.w != w || bottom_blob.h != h || bottom_blob.d != d)
+                return -100;
+
             elemsize = std::min(elemsize, bottom_blob.elemsize);
             elempack = std::min(elempack, bottom_blob.elempack);
             top_channels += bottom_blob.c * bottom_blob.elempack;
diff --git a/src/layer/x86/concat_x86.cpp b/src/layer/x86/concat_x86.cpp
@@ -388,10 +388,13 @@ int Concat_x86::forward(const std::vector<Mat>& bottom_blobs, std::vector<Mat>&
         // total channels
         size_t elemsize = bottom_blobs[0].elemsize;
         int elempack = bottom_blobs[0].elempack;
-        int top_channels = 0;
-        for (size_t b = 0; b < bottom_blobs.size(); b++)
+        int top_channels = bottom_blobs[0].c * bottom_blobs[0].elempack;
+        for (size_t b = 1; b < bottom_blobs.size(); b++)
         {
             const Mat& bottom_blob = bottom_blobs[b];
+            if (bottom_blob.w != w || bottom_blob.h != h || bottom_blob.d != d)
+                return -100;
+
             elemsize = std::min(elemsize, bottom_blob.elemsize);
             elempack = std::min(elempack, bottom_blob.elempack);
             top_channels += bottom_blob.c * bottom_blob.elempack;

Original file line number	Diff line number	Diff line change
`@@ -128,10 +128,13 @@ int Concat::forward(const std::vector<Mat>& bottom_blobs, std::vector<Mat>& top_`
`128`	`128`	`int d = bottom_blobs[0].d;`
`129`	`129`
`130`	`130`	`// total channels`
`131`		`- int top_channels = 0;`
`132`		`- for (size_t b = 0; b < bottom_blobs.size(); b++)`
	`131`	`+ int top_channels = bottom_blobs[0].c;`
	`132`	`+ for (size_t b = 1; b < bottom_blobs.size(); b++)`
`133`	`133`	`{`
`134`	`134`	`const Mat& bottom_blob = bottom_blobs[b];`
	`135`	`+ if (bottom_blob.w != w \|\| bottom_blob.h != h \|\| bottom_blob.d != d)`
	`136`	`+ return -100;`
	`137`	`+`
`135`	`138`	`top_channels += bottom_blob.c;`
`136`	`139`	`}`
`137`	`140`