Add bounds checking to OgaSequencesGetSequence C API functions#2260
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the GenAI C API against out-of-bounds sequence access and improves defensive validation when creating tensors from user-provided buffers, reducing the risk of undefined behavior and potential heap data disclosure across all language bindings.
Changes:
- Add bounds checks to
OgaSequencesGetSequenceCount/OgaSequencesGetSequenceDatato avoid OOB reads (return0/nullptr). - Strengthen
OgaCreateTensorFromBuffervalidation (null shape pointer, negative dims, and byte-count overflow guard). - Add a unit test covering out-of-bounds sequence access behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| test/c_api_tests.cpp | Adds CAPITests.SequencesOutOfBoundsAccess to verify OOB indices return safe sentinel values. |
| src/ort_genai_c.cpp | Adds bounds checks for sequence getters and adds shape/byte-count validation in OgaCreateTensorFromBuffer. |
kunal-vaishnavi
approved these changes
Jul 6, 2026
OgaSequencesGetSequenceCount and OgaSequencesGetSequenceData accessed the underlying vector via operator[] without validating the sequence index, allowing an out-of-bounds read when the caller supplied an index >= the number of sequences. Return 0 / nullptr for out-of-bounds indices so no C++ exception crosses the C API boundary. Also harden OgaCreateTensorFromBuffer against negative dimensions and byte-count multiplication overflow when computing the tensor size. Add a CAPITests.SequencesOutOfBoundsAccess unit test covering the out-of-bounds behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Addresses review feedback: a caller of this C ABI entry point could pass shape_dims=nullptr with a non-zero shape_dims_count, causing a null dereference in the shape loop. Reject that combination explicitly before constructing the span. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Document the out-of-bounds behavior of OgaSequencesGetSequenceCount (returns 0) and OgaSequencesGetSequenceData (returns nullptr) in the public C header so consumers don't misread it as a valid empty sequence. - Guard against int64_t shape dimensions exceeding size_t range before casting in OgaCreateTensorFromBuffer, so the overflow check is not defeated by truncation on 32-bit builds. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
71f121a to
a1a3720
Compare
tianleiwu
pushed a commit
that referenced
this pull request
Jul 11, 2026
## Description `OgaSequencesGetSequenceCount` and `OgaSequencesGetSequenceData` accessed the underlying vector via `operator[]` without validating the `sequence` index. When a caller passes an index `>= OgaSequencesCount()`, this results in an out-of-bounds read of heap memory (undefined behavior), which can disclose adjacent heap contents. This mirrors the validation already present in `OgaAppendTokenToSequence`, which checks the index before access. ## Changes - `OgaSequencesGetSequenceCount`: return `0` when `sequence >= size()`. - `OgaSequencesGetSequenceData`: return `nullptr` when `sequence >= size()`. - Returning a value (instead of throwing) keeps a valid C ABI so no C++ exception crosses the C API boundary. This protects all language bindings (C, C++, Python, C#, Java) that route through these functions. - `OgaCreateTensorFromBuffer`: reject negative shape dimensions, guard the byte-count multiplication against `size_t` overflow, and reject a null `shape_dims` with a non-zero count (defense-in-depth). - Added `CAPITests.SequencesOutOfBoundsAccess` unit test (no model required) verifying valid access works and out-of-bounds indices return `0` / `nullptr`. ## Testing Built the library and unit tests, and ran: ``` [ RUN ] CAPITests.AppendTokensToSequence [ OK ] CAPITests.AppendTokensToSequence [ RUN ] CAPITests.SequencesOutOfBoundsAccess [ OK ] CAPITests.SequencesOutOfBoundsAccess [ RUN ] CAPITests.MaxLength [ OK ] CAPITests.MaxLength [ PASSED ] 3 tests. ``` Replaces #2257 (recreated as a non-fork branch so CI can run). --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
OgaSequencesGetSequenceCountandOgaSequencesGetSequenceDataaccessed the underlying vector viaoperator[]without validating thesequenceindex. When a caller passes an index>= OgaSequencesCount(), this results in an out-of-bounds read of heap memory (undefined behavior), which can disclose adjacent heap contents.This mirrors the validation already present in
OgaAppendTokenToSequence, which checks the index before access.Changes
OgaSequencesGetSequenceCount: return0whensequence >= size().OgaSequencesGetSequenceData: returnnullptrwhensequence >= size().OgaCreateTensorFromBuffer: reject negative shape dimensions, guard the byte-count multiplication againstsize_toverflow, and reject a nullshape_dimswith a non-zero count (defense-in-depth).CAPITests.SequencesOutOfBoundsAccessunit test (no model required) verifying valid access works and out-of-bounds indices return0/nullptr.Testing
Built the library and unit tests, and ran:
Replaces #2257 (recreated as a non-fork branch so CI can run).