Fix memory bug in grammar parser (#7194)

The llama.cpp grammar parser had a bug where forgetting to add a closing quotation mark to strings would cause parsing to crash. Anyone running a server on a public endpoint is advised to upgrade. To reproduce this bug ./llamafile -m foo.gguf -p bar --grammar 'root::="' Credit for discovering and reporting this issue goes to Eclypsium Security Researcher Richard Johnson <Richard.johnson@eclypsium.com>.
author: Justine Tunney <jtunney@mozilla.com> 2024-05-10 07:01:08 -0400
committer: GitHub <noreply@github.com> 2024-05-10 21:01:08 +1000
commit: 4e3880978f8b1bf546dd4e6f3b524d6b8739c49c (patch)
tree: 54ab13653c57d8a5ecb709947dd5a43596ca64c2 /common/grammar-parser.cpp
parent: f89fe2732c5709f6e86d5f4aee2e6d2a561f2eb2 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/common/grammar-parser.cpp b/common/grammar-parser.cpp
index 2a130156..fecb7cd7 100644
--- a/common/grammar-parser.cpp
+++ b/common/grammar-parser.cpp
@@ -142,6 +142,9 @@ namespace grammar_parser {
                 pos++;
                 last_sym_start = out_elements.size();
                 while (*pos != '"') {
+                    if (!*pos) {
+                        throw std::runtime_error("unexpected end of input");
+                    }
                     auto char_pair = parse_char(pos);
                          pos       = char_pair.second;
                     out_elements.push_back({LLAMA_GRETYPE_CHAR, char_pair.first});
@@ -156,6 +159,9 @@ namespace grammar_parser {
                 }
                 last_sym_start = out_elements.size();
                 while (*pos != ']') {
+                    if (!*pos) {
+                        throw std::runtime_error("unexpected end of input");
+                    }
                     auto char_pair = parse_char(pos);
                          pos       = char_pair.second;
                     enum llama_gretype type = last_sym_start < out_elements.size()
@@ -164,6 +170,9 @@ namespace grammar_parser {
 
                     out_elements.push_back({type, char_pair.first});
                     if (pos[0] == '-' && pos[1] != ']') {
+                        if (!pos[1]) {
+                            throw std::runtime_error("unexpected end of input");
+                        }
                         auto endchar_pair = parse_char(pos + 1);
                              pos          = endchar_pair.second;
                         out_elements.push_back({LLAMA_GRETYPE_CHAR_RNG_UPPER, endchar_pair.first});
author	Justine Tunney <jtunney@mozilla.com>	2024-05-10 07:01:08 -0400
committer	GitHub <noreply@github.com>	2024-05-10 21:01:08 +1000
commit	4e3880978f8b1bf546dd4e6f3b524d6b8739c49c (patch)
tree	54ab13653c57d8a5ecb709947dd5a43596ca64c2 /common/grammar-parser.cpp
parent	f89fe2732c5709f6e86d5f4aee2e6d2a561f2eb2 (diff)