| Title | onnx unpatched (HEAD); via onnxruntime 1.22.0 bundle Out-of-Bounds Read |
|---|
| Description | `convPoolShapeInference()` in `onnx/defs/nn/old.cc` performs an out-of-bounds heap read during ONNX shape inference. The function iterates `for (i = 0; i < kernel_shape.size(); i++)` and reads `dilations[i]`, but `dilations` is sized to the input tensor's spatial rank (`n_input_dims`). For a Conv node whose weight tensor has more spatial dimensions than the input tensor and which carries no explicit `kernel_shape` attribute, `kernel_shape` is derived from the weight tensor and can exceed `dilations.size()`, so the loop reads past the end of the `dilations` vector (CWE-125; AddressSanitizer: heap-buffer-overflow READ of size 8).
Trigger: a Conv node with input rank 4 (n_input_dims=2), weight rank 5 (3 spatial dims), and no kernel_shape attribute, so kernel_shape.size()=3 > dilations.size()=2; iteration i=2 reads dilations[2] out of bounds. A 255-byte ONNX model is sufficient (reproducer embedded as base64 in the referenced advisory).
The defect is in the ONNX op-schema shape-inference library and is reachable by any consumer that runs shape inference. It was discovered through ONNX Runtime, where it fires during InferenceSession::Load() (before any inference runs) via the public model-load APIs (CreateSessionFromArray). The ONNX Runtime maintainer redirected the issue and fix to the onnx project, which owns the code.
Impact: an 8-byte heap over-read whose value is then used as a kernel dimension (potential heap information disclosure); a sufficiently large out-of-bounds value can also drive downstream out-of-range/oversized allocation during output-shape computation. ASan fingerprints the crash at onnx/defs/nn/old.cc:188 in convPoolShapeInference_opset19; 8 independent fuzzer inputs map to the same site.
Suggested fix: after deriving kernel_shape from the weight tensor, validate kernel_shape.size() == n_input_dims (fail_shape_inference otherwise), or bound the loop by min(kernel_shape.size(), dilations.size()). The same pattern exists in the pooling shape-inference path (old.cc:658) and needs the same guard.
References: public disclosure with reproducer https://github.com/onnx/onnx/issues/8036 ; original report via ONNX Runtime https://github.com/microsoft/onnxruntime/issues/28731 ; proposed fix https://github.com/microsoft/onnxruntime/pull/28734 . Found by Crucible, a structure-aware fuzzer for ML model parsers. |
|---|
| Source | ⚠️ https://github.com/onnx/onnx/issues/8036 |
|---|
| User | m00dy (UID 97162) |
|---|
| Submission | 06/02/2026 19:33 (1 month ago) |
|---|
| Moderation | 07/03/2026 20:29 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 376160 [onnx up to 1.21.x onnxruntime onnx/defs/nn/old.cc convPoolShapeInference_opset19 out-of-bounds] |
|---|
| Points | 20 |
|---|