Commit d05e8ce
committed
Fix integer overflow DoS vulnerability in tokenization
Fixes #835
When an extremely large prompt (>2^31 characters) is sent to the
llamafile server, the tokenization function would experience integer
overflow, causing a crash with std::length_error and terminating
the entire server process.
Root cause: In llamafile/llama.cpp line 50, text.size() (size_t/uint64)
was being added to a small value and assigned to int (int32), causing
overflow when text.size() exceeded INT_MAX.
Fix: Added bounds checking before the addition to prevent overflow.
If the input text is too large, we now throw std::length_error with
the same error message that llama.cpp naturally throws, which the
worker exception handler will catch and log.
This matches the behavior of standalone llama.cpp which has internal
bounds checks in std::vector and returns a controlled 500 error rather
than crashing the process.
Security impact: Prevents remote unauthenticated DoS attack where an
attacker could crash the llamafile server by sending an oversized prompt.1 parent 78a2261 commit d05e8ce
1 file changed
+8
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| 21 | + | |
| 22 | + | |
21 | 23 | | |
22 | 24 | | |
23 | 25 | | |
| |||
47 | 49 | | |
48 | 50 | | |
49 | 51 | | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
50 | 58 | | |
51 | 59 | | |
52 | 60 | | |
| |||
0 commit comments