Hugging Face's logo

Zhuxs
/
huggingface-gguf-poc

GGUF
security-research
vulnerability-poc
gguf-parser-bug
Model card Files
xet
 Community

Security Research: GGUF Parser Integer Overflow and Division by Zero

WARNING: This repository contains proof-of-concept files for security vulnerabilities in the GGUF file parser. The files are benign (tiny, 128 bytes each) but may crash applications that load them.

Vulnerability Summary

Two vulnerabilities in the GGUF file format parser used by llama.cpp:

  1. GGML_PAD Integer Wraparound (HIGH): A crafted tensor dimension causes ggml_nbytes to return a value near SIZE_MAX. The GGML_PAD macro wraps this to 0, bypassing overflow guards and leading to heap buffer overflow.

  2. Division by Zero (MEDIUM): Tensor dimension validation allows ne[j] == 0. The subsequent overflow check divides by ne[1], causing INT64_MAX / 0 and an immediate crash.

Files

File Description Size
crash_pad_overflow.gguf PoC for GGML_PAD integer wrap (Vuln 1) 128 bytes
crash_div_zero.gguf PoC for division by zero crash (Vuln 2) 128 bytes
generate_poc.py Script that generates the PoC files ~3 KB
verify_structure.py Script to parse and verify PoC file structure ~2 KB

Reproduction

Build llama.cpp with AddressSanitizer 

git clone https://github.com/ggerganov/llama.cpp
cd llama.cpp && mkdir build && cd build
cmake -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" ..
make gguf

Test Vulnerability 1 (Heap Overflow) 

./bin/gguf crash_pad_overflow.gguf
# Expected: ASAN heap-buffer-overflow report

Test Vulnerability 2 (Division by Zero) 

./bin/gguf crash_div_zero.gguf
# Expected: SIGFPE (Floating point exception) - process crash

Technical Details

Vuln 1: GGML_PAD Wrap

  • File: ggml/src/gguf.cpp, line 724
  • Tensor with ne[0] = 4611686018427387903 (F32 type)
  • ggml_nbytes returns SIZE_MAX - 3
  • GGML_PAD(SIZE_MAX - 3, 32) = ((SIZE_MAX - 3) + 31) & ~31 = 27 & ~31 = 0
  • padded_size = 0 bypasses overflow guard
  • Heap buffer overflow on !no_alloc path

Vuln 2: Division by Zero

  • File: ggml/src/gguf.cpp, line 632
  • Tensor with ne[1] = 0
  • Line 623 checks ne[j] < 0 (allows zero!)
  • Line 632: INT64_MAX / info.t.ne[1] = INT64_MAX / 0 -> SIGFPE

Affected

  • llama.cpp (all versions with current gguf.cpp)
  • All tools that load GGUF files
  • 64-bit platforms (Vuln 1), all platforms (Vuln 2)

Disclaimer

This repository is for authorized security research only, submitted as part of a responsible disclosure via huntr.com. The PoC files are tiny (128 bytes) and contain no executable payloads.

Downloads last month
176
GGUF
Model size
0 params
Architecture
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support