Skip to content

Fix integer overflow in csr_offsets subscripts#5950

Closed
q10 wants to merge 1 commit into
pytorch:mainfrom
q10:export-D109620546
Closed

Fix integer overflow in csr_offsets subscripts#5950
q10 wants to merge 1 commit into
pytorch:mainfrom
q10:export-D109620546

Conversation

@q10

@q10 q10 commented Jun 24, 2026
edited by meta-codesync Bot
Loading

Copy link
Copy Markdown
Contributor

Summary:
In csr2csc_template_, the subscript expressions used to index into
csr_offsets computed table_to_feature_offset[N] * B as int * int,
which overflows for large values of B or feature offset counts. This can
lead to out-of-bounds array access.

Four sites are fixed by casting one operand to size_t before the
multiplication, which promotes the other int operand via the usual
arithmetic conversions, making the product safe:

  • nnz computation (both subscripts)
  • NS computation (second subscript — first already had the cast)
  • FBo subscript

Also fix type-safety issues in the inner loop value assignment:

  • Use pair_t{} explicitly instead of relying on CTAD from std::pair{}
  • Cast scale_factor (double) to scalar_t before multiplication to
    avoid implicit narrowing
  • Replace hardcoded 1.0f fallback weight with scalar_t{1}

Reviewed By: colin2328

Differential Revision: D109620546

@meta-cla meta-cla Bot added the cla signed label Jun 24, 2026
@meta-codesync

meta-codesync Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@q10 has exported this pull request. If you are a Meta employee, you can view the originating Diff in D109620546.

@q10 q10 force-pushed the export-D109620546 branch from c0f3354 to f80e6b5 Compare June 24, 2026 21:56
@q10 @facebook-github-bot
Fix integer overflow in csr_offsets subscripts
e18c7db 
Summary:
In `csr2csc_template_`, the subscript expressions used to index into
`csr_offsets` computed `table_to_feature_offset[N] * B` as `int * int`,
which overflows for large values of B or feature offset counts. This can
lead to out-of-bounds array access.

Four sites are fixed by casting one operand to `size_t` before the
multiplication, which promotes the other `int` operand via the usual
arithmetic conversions, making the product safe:

- `nnz` computation (both subscripts)
- `NS` computation (second subscript — first already had the cast)
- `FBo` subscript

Also fix type-safety issues in the inner loop value assignment:
- Use `pair_t{}` explicitly instead of relying on CTAD from `std::pair{}`
- Cast `scale_factor` (double) to `scalar_t` before multiplication to
  avoid implicit narrowing
- Replace hardcoded `1.0f` fallback weight with `scalar_t{1}`

Reviewed By: colin2328

Differential Revision: D109620546
@q10 q10 force-pushed the export-D109620546 branch from f80e6b5 to e18c7db Compare June 25, 2026 22:25
@meta-codesync meta-codesync Bot closed this in ac03680 Jun 26, 2026
@meta-codesync meta-codesync Bot added the Merged label Jun 26, 2026
@meta-codesync

meta-codesync Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

This pull request has been merged in ac03680.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla signed Merged meta-exported

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@q10