From 6154ed3147abf8c0344438e46bafea8eca0c56d5 Mon Sep 17 00:00:00 2001
From: Andy Lau <liuyang01@kylinos.cn>
Date: Wed, 25 Jun 2025 12:13:53 +0000
Subject: [PATCH] Fix CVE-2025-49847

---
 backport-CVE-2025-49847.patch | 42 +++++++++++++++++++++++++++++++++++
 llama.cpp.spec                |  6 ++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-49847.patch

diff --git a/backport-CVE-2025-49847.patch b/backport-CVE-2025-49847.patch
new file mode 100644
index 0000000..e74cb5c
--- /dev/null
+++ b/backport-CVE-2025-49847.patch
@@ -0,0 +1,42 @@
+From 3cfbbdb44e08fd19429fed6cc85b982a91f0efd5 Mon Sep 17 00:00:00 2001
+From: Guy Goldenberg <guy110698@gmail.com> 
+Date: Fri, 13 Jun 2025 19:20:25 +0300 
+Subject: [PATCH] Merge commit from fork
+
+* vocab : prevent integer overflow during load
+
+* Add static cast and GGML_ABORT
+
+---------
+
+Co-authored-by: Georgi Gerganov <ggerganov@gmail.com>
+---
+ src/llama-vocab.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/llama-vocab.cpp b/src/llama-vocab.cpp
+index 8c9aaf5..6d5d378 100644
+--- a/src/llama-vocab.cpp
++++ b/src/llama-vocab.cpp
+@@ -11,6 +11,7 @@
+ #include <forward_list>
+ #include <queue>
+ #include <sstream>
++#include <cinttypes>
+ 
+ //
+ // helpers
+@@ -1785,6 +1786,10 @@ int32_t llama_token_to_piece_impl(const struct llama_vocab & vocab, llama_token
+     // copy piece chars to output text buffer
+     // skip up to 'lstrip' leading spaces before copying
+     auto _try_copy = [=] (const char * token, size_t size) -> int32_t {
++	if (size >= static_cast<size_t>(std::numeric_limits<int32_t>::max())) {
++	    GGML_ABORT("invalid token size: %zu exceeds int32_t limit", size);
++	}
++
+         for (int32_t i = 0; i < lstrip && size && *token == ' '; ++i) {
+             token++;
+             size--;
+-- 
+2.43.0
+
diff --git a/llama.cpp.spec b/llama.cpp.spec
index 300a9b0..36552c6 100644
--- a/llama.cpp.spec
+++ b/llama.cpp.spec
@@ -3,12 +3,13 @@
 
 Name:       llama.cpp
 Version:    20241210
-Release:    1
+Release:    2
 License:    MIT
 Summary:    Port of English lagre model LLaMA implemented based on C/C++
 
 URL:            https://github.com/ggerganov/llama.cpp
 Source0:        https://github.com/ggerganov/llama.cpp/archive/refs/tags/%{llama_commitid}.tar.gz
+Patch0:         backport-CVE-2025-49847.patch
 
 BuildRequires:  gcc,gcc-c++,cmake
 
@@ -53,6 +54,9 @@ it can be used for model dialogue based on local laptops.
 %{_exec_prefix}/lib/pkgconfig/llama.pc
 
 %changelog
+* Wed Jun 25 2025 andy <liuyang01@kylinos.cn> - 20241210-2
+- fix CVE-2025-49847
+
 * Tue Dec 10 2024 misaka00251 <liuxin@iscas.ac.cn> - 20241210-1
 - Upgrade to 20241210
 - Split headers into devel package
-- 
Gitee