From 0c6a32050d425d325c593ba2ed2be3822c20f042 Mon Sep 17 00:00:00 2001
From: PshySimon <caixiaomeng2@huawei.com>
Date: Wed, 2 Jul 2025 10:47:49 +0800
Subject: [PATCH] fix CVE-2025-49847

---
 backport-CVE-2025-49847.patch | 43 +++++++++++++++++++++++++++++++++++
 llama.cpp.spec                |  8 +++++--
 2 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2025-49847.patch

diff --git a/backport-CVE-2025-49847.patch b/backport-CVE-2025-49847.patch
new file mode 100644
index 0000000..9020cfb
--- /dev/null
+++ b/backport-CVE-2025-49847.patch
@@ -0,0 +1,43 @@
+From 105092e63c03b0fa5fe19a2ca850c219628582ec Mon Sep 17 00:00:00 2001
+From: Guy Goldenberg <guy110698@gmail.com>
+Date: Fri, 13 Jun 2025 19:20:25 +0300
+Subject: [PATCH] Merge commit from fork
+
+* vocab : prevent integer overflow during load
+
+* Add static cast and GGML_ABORT
+
+---------
+
+Co-authored-by: Georgi Gerganov <ggerganov@gmail.com>
+---
+ src/llama-vocab.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/llama-vocab.cpp b/src/llama-vocab.cpp
+index 8c9aaf5..953e2cb 100644
+--- a/src/llama-vocab.cpp
++++ b/src/llama-vocab.cpp
+@@ -11,6 +11,7 @@
+ #include <forward_list>
+ #include <queue>
+ #include <sstream>
++#include <cinttypes>
+ 
+ //
+ // helpers
+@@ -1785,6 +1786,10 @@ int32_t llama_token_to_piece_impl(const struct llama_vocab & vocab, llama_token
+     // copy piece chars to output text buffer
+     // skip up to 'lstrip' leading spaces before copying
+     auto _try_copy = [=] (const char * token, size_t size) -> int32_t {
++        if (size >= static_cast<size_t>(std::numeric_limits<int32_t>::max())) {
++            GGML_ABORT("invalid token size: %zu exceeds int32_t limit", size);
++        }
++
+         for (int32_t i = 0; i < lstrip && size && *token == ' '; ++i) {
+             token++;
+             size--;
+-- 
+2.43.0
+
+
diff --git a/llama.cpp.spec b/llama.cpp.spec
index 19552ec..876f582 100644
--- a/llama.cpp.spec
+++ b/llama.cpp.spec
@@ -3,13 +3,14 @@
 
 Name:       llama.cpp
 Version:    20230815
-Release:    4
+Release:    5
 License:    MIT
 Summary:    Port of English lagre model LLaMA implemented based on C/C++
 
 URL:            https://github.com/ggerganov/llama.cpp
 Source0:        https://github.com/ggerganov/llama.cpp/archive/refs/tags/%{llama_commitid}.tar.gz
-Patch0:     add-loongarch64-support.patch
+Patch0:         add-loongarch64-support.patch
+Patch1:         backport-CVE-2025-49847.patch
 
 BuildRequires:  gcc,gcc-c++,cmake
 
@@ -40,6 +41,9 @@ popd
 %{_libdir}/libembdinput.a
 
 %changelog
+* Wed Jul 2 2025 PshySimon <caixiaomeng2@huawei.com> - 20230815-5
+- fix CVE-2025-49847
+
 * Tue May 14 2024 wangshuo <wangshuo@kylinos.cn> - 20230815-4
 - add loongarch64 support
 
-- 
Gitee