From b33603ea0d21a1eeaf4d7039f9eca8e14a5d15a3 Mon Sep 17 00:00:00 2001
From: Xuan Son Nguyen <son@huggingface.co>
Date: Tue, 18 Nov 2025 11:47:29 +0100
Subject: [PATCH 1/2] chat: fix int overflow, prevent size calculation in
 float/double

---
 common/chat.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/common/chat.cpp b/common/chat.cpp
index 938872e82ee1d..62c09fa6151b9 100644
--- a/common/chat.cpp
+++ b/common/chat.cpp
@@ -3009,7 +3009,7 @@ static common_chat_params common_chat_templates_apply_legacy(
     const struct common_chat_templates * tmpls,
     const struct common_chat_templates_inputs & inputs)
 {
-    int alloc_size = 0;
+    size_t alloc_size = 0;
     std::vector<llama_chat_message> chat;
     std::vector<std::string> contents;
 
@@ -3031,7 +3031,8 @@ static common_chat_params common_chat_templates_apply_legacy(
         const auto & msg = inputs.messages[i];
         const auto & content = contents[i];
         chat.push_back({msg.role.c_str(), content.c_str()});
-        alloc_size += (msg.role.size() + content.size()) * 1.25;
+        size_t msg_sz = msg.role.size() + content.size();
+        alloc_size += msg_sz + (msg_sz / 4); // == msg_sz * 1.25 but avoiding float ops
     }
 
     std::vector<char> buf(alloc_size);
@@ -3053,6 +3054,11 @@ static common_chat_params common_chat_templates_apply_legacy(
         res = llama_chat_apply_template(src.c_str(), chat.data(), chat.size(), inputs.add_generation_prompt, buf.data(), buf.size());
     }
 
+    // for safety, we check the result again
+    if (res < 0 || (size_t) res > buf.size()) {
+        throw std::runtime_error("failed to apply chat template, try using --jinja");
+    }
+
     common_chat_params params;
     params.prompt = std::string(buf.data(), res);
     if (!inputs.json_schema.empty()) {

From 6d3d572213b8c5fe0b1a33623ae0af0ecf2a05a6 Mon Sep 17 00:00:00 2001
From: Xuan-Son Nguyen <thichthat@gmail.com>
Date: Tue, 18 Nov 2025 11:56:17 +0100
Subject: [PATCH 2/2] Update common/chat.cpp

Co-authored-by: Georgi Gerganov <ggerganov@gmail.com>
---
 common/chat.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/chat.cpp b/common/chat.cpp
index 62c09fa6151b9..afff6917ed961 100644
--- a/common/chat.cpp
+++ b/common/chat.cpp
@@ -3031,8 +3031,8 @@ static common_chat_params common_chat_templates_apply_legacy(
         const auto & msg = inputs.messages[i];
         const auto & content = contents[i];
         chat.push_back({msg.role.c_str(), content.c_str()});
-        size_t msg_sz = msg.role.size() + content.size();
-        alloc_size += msg_sz + (msg_sz / 4); // == msg_sz * 1.25 but avoiding float ops
+        size_t msg_size = msg.role.size() + content.size();
+        alloc_size += msg_size + (msg_size / 4); // == msg_size * 1.25 but avoiding float ops
     }
 
     std::vector<char> buf(alloc_size);