Fix integer overflow in RKNPU implicit bias allocation

[GopalakrishnanN]

Description

The RKNPU execution provider's ONNX converter allocates implicit (all-zero)
bias buffers with malloc(sizeof(T) * dim) when a Conv / Gemm /
QLinearConv node omits its bias input. dim comes from a model weight's
shape (an attacker-controlled uint32_t after RKNPU shape conversion), and the
allocation result was never checked before memset.

This PR hardens the converter in two places:

• validates ONNX int64_t dimensions before narrowing them to the RKNPU
  uint32_t shape representation, rejecting negative or out-of-range values;
• routes all four implicit-bias allocation sites (AddLayerConvImpl,
  AddLayerQLinearConvImpl, AddLayerDepthwiseConvImpl, AddLayerFC) through
  a shared AllocZeroedBias helper that computes byte counts with
  SafeInt<size_t> and null-checks malloc before zeroing.

Both overflow/OOM error paths include element_size, count, and byte-count
context where available.

Motivation and Context

A malicious ONNX model can provide dimensions that are not safe for the RKNPU
converter's 32-bit shape representation or for byte-size allocation arithmetic:

• ONNX stores dimensions as int64_t, while the RKNPU converter/DDK uses
  uint32_t shape values. Silently narrowing a large or negative int64_t
  value can produce a misleading uint32_t dimension.
• Even after a dimension is represented as uint32_t, sizeof(T) * dim can
  overflow size_t on 32-bit RKNPU targets. For example, dim = 0x40000400
  makes sizeof(float) * dim wrap to 4096 bytes while the created tensor
  still advertises dim elements, causing a heap buffer overflow when the bias
  is consumed by the driver.
• On 64-bit hosts, very large dimensions can instead lead to a failing malloc
  whose NULL result was previously dereferenced by memset.

SafeInt<size_t> is the ORT-standard idiom for memory-size arithmetic, and the
new dimension helper rejects invalid ONNX dimensions before they enter the
RKNPU uint32_t shape model.

Validation: the RKNPU EP requires the Rockchip DDK (RKNPU_DDK_PATH) and an
ARM target, so it does not build on a typical x64 dev box and has no GPU-free CI
leg. The change was validated with clang-format, git diff --check, and a
standalone test against ORT's SafeInt.hpp, confirming the guard throws on the
overflowing dimensions (0x40000400, 0xFFFFFFFF) while preserving normal and
zero-dimension behavior.

Testing: No unit test is included because the RKNPU EP is not compiled in
any CI leg (it requires the proprietary Rockchip DDK and an ARM target), and the
ToRknpuDim / AllocZeroedBias helpers have internal (file-static) linkage,
so they are not reachable from the gtest suites. The overflow/validation logic
was instead exercised with a standalone test against ORT's SafeInt.hpp as
noted above.

[Copilot]

Pull request overview

This PR hardens the RKNPU execution provider’s ONNX-to-RKNN converter against attacker-controlled shape dimensions by preventing sizeof(T) * dim wraparound and by avoiding memset on a null allocation when creating implicit (all-zero) bias buffers.

Changes:

• Add a shared AllocZeroedBias helper that computes allocation sizes with SafeInt<size_t> and checks malloc results before zeroing.
• Route implicit-bias allocations in Conv/QLinearConv/DepthwiseConv/FC layer builders through the helper.
• Include ORT’s safeint.h to use the standard overflow-checked arithmetic idiom.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.