Fix out-of-bounds read vulnerability in ArrayFeatureExtractor by Copilot · Pull Request #27275 · microsoft/onnxruntime
### Description
ArrayFeatureExtractor was vulnerable to out-of-bounds reads when
provided negative indices. The bounds check only validated upper bounds
(`y_data[i] >= stride`) but not lower bounds, allowing negative values
to read arbitrary heap memory.
**Changes:**
- Added negative index validation in `array_feature_extractor.cc` line
76: `y_data[i] < 0 || y_data[i] >= stride`
- Updated error message to clarify valid range: `must be in [0, stride)`
- Added test case `InvalidInputNegativeY` to verify rejection of
negative indices
**Example exploitation:**
```python
# Previously allowed, causing heap leak
y_data = np.array([-10], dtype=np.int64)
results = session.run(["z"], {"x": x_data, "y": y_data}) # Reads unintended memory
```
Now returns `INVALID_ARGUMENT` with diagnostic message.
### Motivation and Context
Security vulnerability allowing heap memory disclosure through negative
index values bypassing bounds validation. The operator accesses
`x_data[y_data[j]]` at line 98 without ensuring `y_data[j] >= 0`.
<!-- START COPILOT ORIGINAL PROMPT -->
<details>
<summary>Original prompt</summary>
>
> ----
>
> *This section details on the original issue you should resolve*
>
> <issue_title>Out-of-Bounds Read Leading to Heap Leak</issue_title>
> <issue_description>The vulnerability being exploited is a heap leak
caused by an out-of-bounds read in ONNX Runtime’s ArrayFeatureExtractor
operator. The root cause is insufficient bounds checking on the index
input, allowing negative values to access unintended memory regions.
>
> POC: Files shows code and code output
>
> Per Copilot:
> Type: Out-of-bounds read (OOB read) in ONNX Runtime’s
ArrayFeatureExtractor operator
> Affected Version: ≤ 1.23.2 (latest at time of report)
> Root Cause:
> In the file
onnxruntime/core/providers/cpu/ml/array_feature_extractor.cc, the code
checks if y_data[i] <= stride (where stride is the total length), but
does not check if y_data[i] >= 0.
> This means a negative index can be used, causing an out-of-bounds read
and leaking heap memory values.
>
> Example: Supplying a negative value in y_data (e.g., y_data = [-10])
bypasses bounds checking and reads unintended memory, exposing heap
data.
>
>
> FINDERS Notes ------------
>
> Detailed information is in the attachment, which includes complete
steps to reproduce the problem.
> Detailed information is in the attachment, which includes complete
steps to reproduce the problem.
>
> Save the model
> ```
> import numpy as np
> import onnx
> from onnx import helper, TensorProto, checker
>
> x_shape = [ 10,1]
> x_dtype = TensorProto.INT64
>
> y_shape = [1]
> y_dtype = TensorProto.INT64
>
> z_dtype = TensorProto.INT64
> z_shape = [ 10,1]
>
> node = helper.make_node(
> op_type="ArrayFeatureExtractor",
> inputs=["x", "y"],
> outputs=["z"],
> domain="ai.onnx.ml"
> )
>
> input_x = helper.make_tensor_value_info(
> "x", x_dtype, x_shape
> )
>
> input_y = helper.make_tensor_value_info(
> "y", y_dtype, y_shape
> )
>
> output_z = helper.make_tensor_value_info(
> "z", z_dtype, z_shape
> )
>
> graph = helper.make_graph(
> nodes=[node],
> name="ArrayFeatureExtractor_Test",
> inputs=[input_x, input_y],
> outputs=[output_z]
> )
>
>
> opset_imports = [
> helper.make_opsetid("", 15),
> helper.make_opsetid("ai.onnx.ml", 3),
> ]
>
> model = helper.make_model(
> graph,
> opset_imports=opset_imports,
> producer_name="onnx-example"
> )
>
>
> onnx.save(model, "array_feature_extractor_manual.onnx")
> ```
>
> Load the model
> ```
> import onnxruntime as ort
> import numpy as np
> session = ort.InferenceSession("array_feature_extractor_manual.onnx",
providers=["CPUExecutionProvider"])
>
>
> x_data = np.arange(10, dtype=np.int64).reshape( 10,1)
>
>
> y_data = np.array([-10], dtype=np.int64)
>
> print(x_data)
> print("?? Index:", y_data)
>
>
> results = session.run(
> ["z"],
> {"x": x_data, "y": y_data}
> )
>
> z_output = results[0]
>
> print(z_output)
> ```</issue_description>
>
> ## Comments on the Issue (you are @copilot in this section)
>
> <comments>
> </comments>
>
</details>
<!-- START COPILOT CODING AGENT SUFFIX -->
- Fixes #27265
<!-- START COPILOT CODING AGENT TIPS -->
---
💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: hariharans29 <9969784+hariharans29@users.noreply.github.com>