You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey hey, thanks for this amazing package.
There is a small issue arising from an inconsistency between the prediction logic and loading models logic:
When loading a model from json we can specify the indices of the left and right children of each node in each tree however we want.
But the prediction logic in predictor/predict_fn.h:GetNextNode assumes that the right child of a node is always exactly one after the left child of the node. (given that the current feature isn't categorical).
An example is given below.
Since there is access to the node that is one after the left child, this can be a buffer overflow if there is no such node, which can cause a segmentation fault.
The easiest solution would be to update a single line in predictor/predict_fn.h so that it does the correct thing, without making assumptions about the tree structure - since they are not enforced anywhere else.
I've put up a pull request here: #7902
The following is an example in python. We load a model with a single tree with 3 nodes, but order them as root, right child, left child.
The leaf value of the left node is 2, but the result is either 1 or a segfault.
Hey hey, thanks for this amazing package.
There is a small issue arising from an inconsistency between the prediction logic and loading models logic:
When loading a model from json we can specify the indices of the left and right children of each node in each tree however we want.
But the prediction logic in
predictor/predict_fn.h:GetNextNode
assumes that the right child of a node is always exactly one after the left child of the node. (given that the current feature isn't categorical).An example is given below.
Since there is access to the node that is one after the left child, this can be a buffer overflow if there is no such node, which can cause a segmentation fault.
The easiest solution would be to update a single line in
predictor/predict_fn.h
so that it does the correct thing, without making assumptions about the tree structure - since they are not enforced anywhere else.I've put up a pull request here: #7902
The following is an example in python. We load a model with a single tree with 3 nodes, but order them as root, right child, left child.
The leaf value of the left node is 2, but the result is either 1 or a segfault.
The text was updated successfully, but these errors were encountered: