CVS-182188 Out-of-bounds Read in ONNX QLinearConcat Converter Stride-3 Loop leads to Crash / DoS

bumbosiepsak · bumbosiepsak · commit 6f1294b1b4ec · 2026-03-31T17:26:14.000+02:00
- Fixed by tightening inputs count validation
- Unit tested
diff --git a/src/frontends/onnx/frontend/src/op/com.microsoft/qlinear_concat.cpp b/src/frontends/onnx/frontend/src/op/com.microsoft/qlinear_concat.cpp
@@ -23,9 +23,12 @@ namespace com_microsoft {
 namespace opset_1 {
 
 ov::OutputVector qlinear_concat(const ov::frontend::onnx::Node& node) {
-    common::default_op_checks(node, 3);
-
     auto inputs = node.get_ov_inputs();
+    FRONT_END_OP_CONVERSION_CHECK(inputs.size() >= 5 && (inputs.size() - 2) % 3 == 0,
+                                  "QLinearConcat: expected 2 + 3*N inputs (Y_scale, Y_zero_point, and N groups of "
+                                  "(X, X_scale, X_zero_point)), got: ",
+                                  inputs.size());
+
     auto Y_scale = inputs[0];
     auto Y_zero_point =
         ov::op::util::is_null(inputs[1]) ? v0::Constant::create(Y_scale.get_element_type(), {}, {0}) : inputs[1];
diff --git a/src/frontends/onnx/tests/convert_tests.cpp b/src/frontends/onnx/tests/convert_tests.cpp
@@ -60,3 +60,19 @@ TEST(ONNXFeConvertException, exception_if_both_unsupported_onnx_validation_excep
                     ov::AssertFailure,
                     testing::HasSubstr("only 'DCR' and 'CRD' modes are supported"));
 }
+
+/// Tests QLinearConcat conversion with missing X input triplet (X, X_scale, X_zero_point)
+/// Has 2 inputs and satisfies the (2 + 3*N) % 3 == 0 condition, but doesn't satisfy the >= 5 condition
+TEST(ONNXFeConvertException, exception_if_qlinear_concat_missing_x_input_triplet) {
+    OV_EXPECT_THROW(convert_model("com.microsoft/qlinear_concat_missing_x_input_triplet.onnx"),
+                    ov::AssertFailure,
+                    testing::AllOf(testing::HasSubstr("expected 2 + 3*N inputs"), testing::HasSubstr(" got: 2")));
+}
+
+/// Tests QLinearConcat conversion with incomplete X input triplet (X, X_scale, X_zero_point)
+/// Has 6 inputs and satisfies the >= 5 condition, but doesn't satisfy the (2 + 3*N) % 3 == 0 condition
+TEST(ONNXFeConvertException, exception_if_qlinear_concat_invalid_x_input_triplet) {
+    OV_EXPECT_THROW(convert_model("com.microsoft/qlinear_concat_invalid_x_input_triplet.onnx"),
+                    ov::AssertFailure,
+                    testing::AllOf(testing::HasSubstr("expected 2 + 3*N inputs"), testing::HasSubstr(" got: 6")));
+}
diff --git a/src/frontends/onnx/tests/models/com.microsoft/qlinear_concat_invalid_x_input_triplet.prototxt b/src/frontends/onnx/tests/models/com.microsoft/qlinear_concat_invalid_x_input_triplet.prototxt
@@ -0,0 +1,112 @@
+ir_version: 3
+producer_name: "OpenVINO ONNX Frontend"
+producer_version: ""
+model_version: 0
+graph {
+  name: "qlinear_concat_invalid_x_input_triplet"
+
+  node {
+    input: "Y_scale"
+    input: "Y_zero_point"
+    input: "X1"
+    input: "X1_scale"
+    input: "X1_zero_point"
+    input: "X2"
+    output: "Y"
+    op_type: "QLinearConcat"
+    attribute {
+      name: "axis"
+      i: 0
+      type: INT
+    }
+    domain: "com.microsoft"
+  }
+
+  input {
+    name: "Y_scale"
+    type {
+      tensor_type {
+        elem_type: 1
+        shape {
+          dim { dim_value: 1 }
+        }
+      }
+    }
+  }
+
+  input {
+    name: "Y_zero_point"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 1 }
+        }
+      }
+    }
+  }
+
+  input {
+    name: "X1"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 4 }
+        }
+      }
+    }
+  }
+
+  input {
+    name: "X1_scale"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 4 }
+        }
+      }
+    }
+  }
+
+  input {
+    name: "X1_zero_point"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 4 }
+        }
+      }
+    }
+  }
+
+  input {
+    name: "X2"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 4 }
+        }
+      }
+    }
+  }
+
+  output {
+    name: "Y"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 4 }
+        }
+      }
+    }
+  }
+}
+opset_import {
+  domain: "com.microsoft"
+  version: 1
+}
diff --git a/src/frontends/onnx/tests/models/com.microsoft/qlinear_concat_missing_x_input_triplet.prototxt b/src/frontends/onnx/tests/models/com.microsoft/qlinear_concat_missing_x_input_triplet.prototxt
@@ -0,0 +1,60 @@
+ir_version: 3
+producer_name: "OpenVINO ONNX Frontend"
+producer_version: ""
+model_version: 0
+graph {
+  name: "qlinear_concat_missing_x_input_triplet"
+
+  node {
+    input: "Y_scale"
+    input: "Y_zero_point"
+    output: "Y"
+    op_type: "QLinearConcat"
+    attribute {
+      name: "axis"
+      i: 0
+      type: INT
+    }
+    domain: "com.microsoft"
+  }
+
+  input {
+    name: "Y_scale"
+    type {
+      tensor_type {
+        elem_type: 1
+        shape {
+          dim { dim_value: 1 }
+        }
+      }
+    }
+  }
+
+  input {
+    name: "Y_zero_point"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 1 }
+        }
+      }
+    }
+  }
+
+  output {
+    name: "Y"
+    type {
+      tensor_type {
+        elem_type: 2
+        shape {
+          dim { dim_value: 4 }
+        }
+      }
+    }
+  }
+}
+opset_import {
+  domain: "com.microsoft"
+  version: 1
+}
