b9917
b9917
View on GitHubView PackagePublished: Jul 8, 2026

Release Notes

fix: OOB reads in UGM tokenizer (precompiled_charsmap handling) (#18750)

  • fix: OOB reads in UGM tokenizer (precompiled_charsmap handling)
  • Validate minimum size (4 bytes) before reading xcda_blob_size
  • Use strnlen with bounds check instead of unsafe strlen

Both issues allow heap-buffer-overflow from malicious T5/UGM GGUF files.

  • Replace unsafe strnlen() with a bounds-checked loop that scans for \0 within the remaining array size.

  • move bounds checks to load

  • typo merge fix


Co-authored-by: hourhl [email protected] Co-authored-by: Sigbjørn Skjæret [email protected]

macOS/iOS:

Linux:

Android:

Windows:

openEuler:

  • DISABLED
  • openEuler x86 (310p)
  • openEuler x86 (910b, ACL Graph)
  • openEuler aarch64 (310p)
  • openEuler aarch64 (910b, ACL Graph)

UI: