From cb8eb87ca4d25460806c1159db0019f6976e3fa2 Mon Sep 17 00:00:00 2001
From: Lucy Qiu <lfq@meta.com>
Date: Tue, 11 Nov 2025 11:39:42 -0800
Subject: [PATCH] Fix stack buffer overflow in resize_tensor (#15626)

Summary:

`new_sizes_casted` is created with size kTensorDimensionLimit.

Make sure that new_sizes_ndim is <= kTensorDimensionLimit before resizing.

Reviewed By: JacobSzwejbka

Differential Revision: D86361111
---
 runtime/core/exec_aten/util/tensor_util.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/runtime/core/exec_aten/util/tensor_util.h b/runtime/core/exec_aten/util/tensor_util.h
index 9b490da244c..26b97e5a7a2 100644
--- a/runtime/core/exec_aten/util/tensor_util.h
+++ b/runtime/core/exec_aten/util/tensor_util.h
@@ -1212,6 +1212,12 @@ ET_NODISCARD inline Error resize_tensor(
   std::array<executorch::aten::SizesType, kTensorDimensionLimit>
       new_sizes_casted{};
   size_t new_sizes_ndim = new_sizes.size();
+  ET_CHECK_OR_RETURN_ERROR(
+      new_sizes_ndim <= kTensorDimensionLimit,
+      InvalidArgument,
+      "new_sizes_ndim %zu is greater than kTensorDimensionLimit %zu",
+      new_sizes_ndim,
+      kTensorDimensionLimit);
   for (const auto i : c10::irange(new_sizes_ndim)) {
     new_sizes_casted[i] =
         static_cast<executorch::aten::SizesType>(new_sizes[i]);