Skip to content

Add missing attribute array validation for TreeEnsembleClassifier#27571

Merged
vraspar merged 4 commits intomainfrom
vraspar/tree-ensemble
Mar 6, 2026
Merged

Add missing attribute array validation for TreeEnsembleClassifier#27571
vraspar merged 4 commits intomainfrom
vraspar/tree-ensemble

Conversation

@vraspar
Copy link
Contributor

@vraspar vraspar commented Mar 5, 2026
edited
Loading

Description

The TreeEnsembleAttributesV3 constructor in tree_ensemble_attribute.h had 15 ORT_ENFORCE size-validation checks in the regressor path but none in the classifier path. A malformed ONNX model with mismatched TreeEnsembleClassifier attribute arrays (e.g., class_ids vs class_nodeids) could cause out-of-bounds access.

To fix this, moved all ORT_ENFORCE validation checks out of the else (regressor) branch so they apply to both classifier and regressor paths.

@vraspar vraspar changed the title Add tests for class and node attribute array size mismatches in TreeEnsembleClassifier Add missing attribute array validation for TreeEnsembleClassifier Mar 5, 2026
@vraspar vraspar requested a review from Copilot March 5, 2026 23:17
yuslepukhin
yuslepukhin reviewed Mar 5, 2026
View reviewed changes
@yuslepukhin yuslepukhin mentioned this pull request Mar 5, 2026
Closed
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens TreeEnsembleAttributesV3 parsing for TreeEnsembleClassifier by applying the same attribute-array size validations previously only enforced on the regressor path, preventing potential out-of-bounds access from malformed ONNX models.

Changes:

  • Move ORT_ENFORCE size/consistency checks to apply to both classifier and regressor attribute parsing.
  • Add negative tests ensuring malformed classifier models (mismatched node/class attribute arrays) fail during initialization.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
onnxruntime/test/providers/cpu/ml/tree_ensembler_classifier_test.cc Adds regression tests that expect failure when classifier attribute arrays are mismatched.
onnxruntime/core/providers/cpu/ml/tree_ensemble_attribute.h Applies existing attribute array validation checks to classifier path as well as regressor path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vraspar vraspar requested a review from yuslepukhin March 6, 2026 00:42
github-actions[bot]
github-actions bot reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can commit the suggested changes from lintrunner.

@vraspar vraspar enabled auto-merge (squash) March 6, 2026 20:01
@vraspar vraspar merged commit b903557 into main Mar 6, 2026
91 checks passed
@vraspar vraspar deleted the vraspar/tree-ensemble branch March 6, 2026 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

@yuslepukhin yuslepukhin yuslepukhin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vraspar @yuslepukhin