Harden ORT FlatBuffer model loader against malformed buffers

[tianleiwu]

Description

Harden the .ort FlatBuffer model loader to reject malformed buffers early instead of dereferencing null pointers, allocating attacker-controlled sizes, or accessing out-of-bounds memory.

Changes

Null table offset validation (flatbuffers_utils.h/.cc)

• Add ValidateRequiredTableOffsets<T>() template that scans a FlatBuffer vector of table offsets and rejects any null (zero) entries before the caller dereferences them.
• Apply to opset imports, initializers, sparse initializers, node args, nodes, node edges, and metadata properties.

Initializer raw_data size validation (graph_flatbuffers_utils.cc)

• After reading shape and type, compute expected byte count and compare against actual raw_data size. Reject mismatches with a descriptive error.

Node index hardening (graph.cc)

• Compute required_node_slot_count by scanning actual node/edge indices instead of trusting the serialized max_node_index field, which could be attacker-controlled and cause oversized allocation.
• Reject duplicate node indices, dangling NodeEdge references to missing nodes, duplicate NodeArg names, and unknown NodeArg references in graph inputs/outputs.

Regression tests (ort_model_only_test.cc)

• RejectsInitializerRawDataSizeMismatch: crafted buffer with wrong raw_data size
• RejectsNullNodeArgTableEntry: buffer with zeroed-out node arg offset
• RejectsDanglingNodeEdge: buffer with a NodeEdge pointing to a non-existent node

Motivation

These checks defend against crafted .ort files that could cause null-pointer dereferences, excessive memory allocation, or out-of-bounds access during model loading.

Testing

• git diff --check passes (no whitespace issues)
• Incremental build of touched core objects succeeds
• New regression tests exercise each validation path

[tianleiwu]

Review Summary

Well-targeted security hardening of the .ort FlatBuffer model loader. The changes add systematic null-offset detection for FlatBuffer vectors of tables, validate initializer raw data sizes, and replace the trust-the-metadata node sizing with a scan-based approach. Tests exercise the new error paths. Overall code quality is high and the defensive strategy is sound.

The ValidateRequiredTableOffsets template correctly uses ReadScalar<uoffset_t> + zero-check — the only reliable approach since Vector<Offset<T>>::Get(i) on a zero offset returns a non-null dangling pointer rather than nullptr. Good that it follows the existing pattern from LoadInitializerOrtFormat.

The key improvement in graph.cc — replacing nodes_.resize(fbs_graph.max_node_index()) with scan-based required_node_slot_count — eliminates a straightforward memory amplification attack via crafted max_node_index. The duplicate node index and dangling NodeEdge detection add integrity validation that was previously missing. The gsl::not_null → explicit nullptr check change for graph inputs/outputs is also good: returns a descriptive error instead of aborting.

See inline comments for suggestions.

[Copilot]

Pull request overview

Hardens the ORT FlatBuffer (.ort) model loader against malformed/crafted buffers by adding additional validation during deserialization, and introduces regression tests that exercise the new failure paths.

Changes:

• Add ValidateRequiredTableOffsets<T>() and use it to reject null (zero) table offsets in FlatBuffer vectors before dereferencing.
• Validate initializer raw_data byte size against expected size computed from shape + type.
• Harden graph loading against attacker-controlled node indexing (oversized allocations), plus additional structural validation; add regression tests for these scenarios.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
onnxruntime/test/framework/ort_model_only_test.cc	Adds crafted-buffer regression tests for new validation paths.
onnxruntime/core/graph/model.cc	Validates metadata property table offsets before iterating.
onnxruntime/core/graph/graph_flatbuffers_utils.cc	Rejects initializer raw_data size mismatches early with a descriptive error.
onnxruntime/core/graph/graph.cc	Adds table-offset validation, duplicate NodeArg detection, node index allocation hardening, and additional graph consistency checks.
onnxruntime/core/flatbuffers/flatbuffers_utils.h / .cc	Introduces and applies ValidateRequiredTableOffsets<T>() for required table vectors (e.g., opset imports).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.