From a35ad35368b555c751ef2182d7e7c1b1072651c9 Mon Sep 17 00:00:00 2001
From: wangxiaomeng <wangxiaomeng@kylinos.cn>
Date: Fri, 10 May 2024 14:01:04 +0800
Subject: [PATCH] Fix CVE-2024-31584

---
 ...latbuffer-loader-out-of-bounds-reads.patch | 37 +++++++++++++++++++
 pytorch.spec                                  |  6 ++-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 0001-Fix-for-PyTorch-mobile-flatbuffer-loader-out-of-bounds-reads.patch

diff --git a/0001-Fix-for-PyTorch-mobile-flatbuffer-loader-out-of-bounds-reads.patch b/0001-Fix-for-PyTorch-mobile-flatbuffer-loader-out-of-bounds-reads.patch
new file mode 100644
index 0000000..aab86ea
--- /dev/null
+++ b/0001-Fix-for-PyTorch-mobile-flatbuffer-loader-out-of-bounds-reads.patch
@@ -0,0 +1,37 @@
+From 0d3ceb3058201868765ff3aa1126685f3f7f9ecc Mon Sep 17 00:00:00 2001
+From: Andrew Calvano <calvano@fb.com>
+Date: Fri, 17 Nov 2023 17:29:04 +0000
+Subject: [PATCH] Fix for PyTorch mobile flatbuffer loader out of bounds reads
+ (#110162)
+
+Summary:
+The mobile_ivalue_size field in the mobile_bytecode flatbuffer schema can be larger than the ivalues vector. This introduces potential for memory corruption when parsing the mobile_bytecode Module.
+
+This diff fixes the issue by ensuring that  mobile_ivalue_size is less than the size of the ivalues vector.
+
+Test Plan: contbuild & OSS CI
+
+Differential Revision: D49687548
+
+Pull Request resolved: https://github.com/pytorch/pytorch/pull/110162
+Approved by: https://github.com/malfet
+---
+ torch/csrc/jit/mobile/flatbuffer_loader.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/torch/csrc/jit/mobile/flatbuffer_loader.cpp b/torch/csrc/jit/mobile/flatbuffer_loader.cpp
+index 2fb12a4f..2069330b 100644
+--- a/torch/csrc/jit/mobile/flatbuffer_loader.cpp
++++ b/torch/csrc/jit/mobile/flatbuffer_loader.cpp
+@@ -302,7 +302,7 @@ mobile::Module FlatbufferLoader::parseModule(
+   storage_loaded_.resize(module->storage_data_size(), false);
+ 
+   mobile_ivalue_size_ = module_->mobile_ivalue_size();
+-  if (mobile_ivalue_size_ == 0) {
++  if (mobile_ivalue_size_ == 0 || mobile_ivalue_size_ > ivalues->size()) {
+     mobile_ivalue_size_ = ivalues->size();
+   }
+ 
+-- 
+2.43.0
+
diff --git a/pytorch.spec b/pytorch.spec
index 73c7523..949061c 100644
--- a/pytorch.spec
+++ b/pytorch.spec
@@ -1,13 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:		pytorch
 Version:	2.1.2
-Release:	2
+Release:	3
 Summary:	Tensors and Dynamic neural networks in Python with strong GPU acceleration
 License:	BSD-3-Clause
 URL:		https://pytorch.org/
 Source0:	https://github.com/pytorch/pytorch/releases/download/v%{version}/pytorch-v%{version}.tar.gz
 
 Patch1:		0001-add-Wno-error-nonnull-for-test-cpp-api.patch
+Patch2:		0001-Fix-for-PyTorch-mobile-flatbuffer-loader-out-of-bounds-reads.patch
 BuildRequires:  g++
 Requires:	python3-future
 Requires:	python3-numpy
@@ -86,6 +87,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon Apr 22 2024 wangxiaomeng <wangxiaomeng@kylinos.cn> - 2.1.2-3
+- Fix CVE-2024-31584
+
 * Thu Jan 11 2024 Dongxing Wang <dongxing.wang_a@thundersoft.com> - 2.1.2-2
 - Patch: Add -Wno-error=nonnull for test/cpp/api/
 
-- 
Gitee