[PR] fix: out-of-bounds read in `StringViewToDLDataType_` with non-null-terminated strings [tvm-ffi]

Tue, 06 Jan 2026 19:37:25 -0800 


khj809 opened a new pull request, #387:
URL: https://github.com/apache/tvm-ffi/pull/387

   ## Summary
   Fixes a critical bug in `StringViewToDataType_` that causes undefined 
behavior when parsing dtype strings from non-null-terminated 
`std::string_view`. This bug particularly affects Electron applications due to 
aggresive memory reuse in Chromium's allocators.
   
   ## Problem
   The original implementation used `strtoul()` to parse numeric values (bits 
and lanes) directly from `std::string_view::data()`. However, `strtoul()` 
requires null-terminated strings and will continue reading beyond the 
string_view bounds until it finds a null terminator or non-digit character.
   
   ## Solution
   Replace `strtoul()` with manual digit parsing that respects `string_view` 
boundaries:
   ```c++
   auto parse_digits = [](const char*& ptr, const char* end) -> uint32_t {
     uint32_t value = 0;
     while (ptr < end && *ptr >= '0' && *ptr <= '9') {
       value = value * 10 + (*ptr - '0');
       ptr++;
     }
     return value;
   };
   ```
   - Never reads beyond `str.data() + str.length()`
   - Works correctly with non-null-terminated strings
   - No memory allocation overhead
   - Same performance as `strtoul` but safe
   
   ## Testing
   New test `TEST(DType, NonNullTerminatedStringView)` validates:
   - Parsing with digit garbage after the string (`"float16999888777"` length 7 
-> bits=16, not 16999888777)
   - Parsing with lane specifications outside bounds (`"int32x4extradata"` 
length 5 -> lanes=1, not 4)
   - Correct parsing when lanes are within bounds (`"bfloat16x2"` length 10 -> 
lanes=2)
   - Non-null-terminated buffers (`"float64AAAAA"` length 7 -> float64)
   - Edge cases with various dtype types (int, uint, float, bfloat)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to