From 228671590de107bb07675431d889eb34674b8ede Mon Sep 17 00:00:00 2001
From: Dillon Sharlet <dsharlet@google.com>
Date: Wed, 25 Sep 2024 12:37:57 -0700
Subject: [PATCH] Fix use after free in xnn_insert_clamp_node

xnn_define_tensor_value can invalidate the output_value pointer, so copy data referred from it before calling xnn_define_tensor_value.

PiperOrigin-RevId: 678807574
---
 src/subgraph.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/subgraph.c b/src/subgraph.c
index 1eaca96d431..d227add1624 100644
--- a/src/subgraph.c
+++ b/src/subgraph.c
@@ -33,8 +33,9 @@ enum xnn_status xnn_insert_clamp_node(xnn_subgraph_t subgraph, float output_min,
   struct xnn_value* output_value = &subgraph->values[output_id];
   uint32_t new_id = XNN_INVALID_VALUE_ID;
   enum xnn_status status;
-  const size_t num_dims = output_value->shape.num_dims;
-  const size_t* dims = output_value->shape.dim;
+  size_t num_dims = output_value->shape.num_dims;
+  size_t dims[XNN_MAX_TENSOR_DIMS];
+  memcpy(dims, output_value->shape.dim, num_dims * sizeof(size_t));
   switch (output_value->datatype) {
     case xnn_datatype_fp16:
       status = xnn_define_tensor_value(