Skip to content

Prevent signed integer overflow in pixel_shuffle size calculation #16138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GregoryComer merged 1 commit into from
Dec 9, 2025
Merged

Prevent signed integer overflow in pixel_shuffle size calculation #16138

GregoryComer merged 1 commit into from
Dec 9, 2025

Conversation

@GregoryComer
Copy link
Member

@GregoryComer GregoryComer commented Dec 9, 2025

Summary:
The size calculation in get_pixel_shuffle_out_target_size can trigger signed integer overflow (UB) with very large upscale_factors. This manifested as an integer division by zero fault during fuzzing.

Specifically, the calculation of upscale_factor * upscale_factor (source) can overflow. In the motivating case, SizesType is a signed 32-bit integer and upscale_factor = 2^17.

Since this is an impractically large upscale factor, I'm just adding a constraint that upscale_factor < 32768 (2^15). In theory, SizesType could be defined as less than 32 bits, but this seems unlikely in practice. I check this upper bound in check_pixel_shuffle_args and also assert in get_pixel_shuffle_out_target_size to ensure we don't hit UB.

Differential Revision: D88693324

@pytorch-bot
Copy link

pytorch-bot bot commented Dec 9, 2025
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/16138

Note: Links to docs will display an error until the docs builds have been completed.

✅ You can merge normally! (1 Unrelated Failure)

As of commit e879e0a with merge base 04f1e4d (image):

UNSTABLE - The following job is marked as unstable, possibly due to flakiness on trunk:

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Dec 9, 2025
@meta-codesync
Copy link

meta-codesync bot commented Dec 9, 2025

@GregoryComer has exported this pull request. If you are a Meta employee, you can view the originating Diff in D88693324.

@GregoryComer GregoryComer added the release notes: none Do not include this in the release notes label Dec 9, 2025
JacobSzwejbka
JacobSzwejbka reviewed Dec 9, 2025
View reviewed changes
GregoryComer added a commit to GregoryComer/executorch that referenced this pull request Dec 9, 2025
@GregoryComer @facebook-github-bot
Prevent signed integer overflow in pixel_shuffle size calculation (py…
d42a11c 
…torch#16138)

Summary:

The size calculation in `get_pixel_shuffle_out_target_size` can trigger signed integer overflow (UB) with very large upscale_factors. This manifested as an integer division by zero fault during fuzzing.

Specifically, the calculation of `upscale_factor * upscale_factor` ([source](https://github.com/pytorch/executorch/blob/04f1e4d22383ffcbc770acf5002348e3f95082a2/kernels/portable/cpu/util/copy_ops_util.cpp#L364)) can overflow. In the motivating case, SizesType is a signed 32-bit integer and upscale_factor = 2^17.

Since this is an impractically large upscale factor, I'm just adding a constraint that upscale_factor < 32768 (2^15). In theory, SizesType could be defined as less than 32 bits, but this seems unlikely in practice.

Differential Revision: D88693324
@GregoryComer
Prevent signed integer overflow in pixel_shuffle size calculation (py…
e879e0a 
…torch#16138)

Summary:

The size calculation in `get_pixel_shuffle_out_target_size` can trigger signed integer overflow (UB) with very large upscale_factors. This manifested as an integer division by zero fault during fuzzing.

Specifically, the calculation of `upscale_factor * upscale_factor` ([source](https://github.com/pytorch/executorch/blob/04f1e4d22383ffcbc770acf5002348e3f95082a2/kernels/portable/cpu/util/copy_ops_util.cpp#L364)) can overflow. In the motivating case, SizesType is a signed 32-bit integer and upscale_factor = 2^17.

Since this is an impractically large upscale factor, I'm just adding a constraint that upscale_factor < 32768 (2^15). In theory, SizesType could be defined as less than 32 bits, but this seems unlikely in practice.

Differential Revision: D88693324
@meta-codesync
Copy link

meta-codesync bot commented Dec 9, 2025

@GregoryComer has imported this pull request. If you are a Meta employee, you can view this in D88693324.

@GregoryComer GregoryComer merged commit c9f6df1 into pytorch:main Dec 9, 2025
237 of 246 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JacobSzwejbka JacobSzwejbka JacobSzwejbka approved these changes

@manuelcandales manuelcandales manuelcandales approved these changes

@larryliu0820 larryliu0820 Awaiting requested review from larryliu0820

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. fb-exported meta-exported release notes: none Do not include this in the release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GregoryComer @JacobSzwejbka @manuelcandales