tensorflow/CVE-2021-29529.patch

From f851613f8f0fb0c838d160ced13c134f778e3ce7 Mon Sep 17 00:00:00 2001
From: Mihai Maruseac <mihaimaruseac@google.com>
Date: Wed, 21 Apr 2021 16:20:48 -0700
Subject: [PATCH] Fix heap buffer overflow caused by rounding.

This was hard to fix. Due to the way we compute the pixels that influence an output pixel in resized images, for certain input configuration we might have issued a read to a pixel that is outside of boundary of the original image. This is because of floating errors that affected truncation results.

PiperOrigin-RevId: 369757871
Change-Id: If89425fff930983829a2168203c11858883eebc9
---
 tensorflow/core/kernels/quantized_resize_bilinear_op.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc b/tensorflow/core/kernels/quantized_resize_bilinear_op.cc
index 07453c7e73284..2fd807f6df961 100644
--- a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc
+++ b/tensorflow/core/kernels/quantized_resize_bilinear_op.cc
@@ -64,6 +64,8 @@ inline void ComputeInterpolationWeights(
         std::max(static_cast<int64>(in_f), static_cast<int64>(0));
     interpolation->upper[i] =
         std::min(static_cast<int64>(std::ceil(in)), in_size - 1);
+    interpolation->lower[i] =
+        std::min(interpolation->lower[i], interpolation->upper[i]);
     interpolation->lerp[i] = in - in_f;
     interpolation->ilerp[i] =
         static_cast<T_SCALE>((in - in_f) * (1 << resolution));
fix CVE-2021-29512 CVE-2021-29514 CVE-2021-29519 CVE-2021-29520 CVE-2021-29522 CVE-2021-29524 CVE-2021-29527-to-CVE-2021-29530 CVE-2021-29532 CVE-2021-29536 CVE-2021-29539 CVE-2021-29541-to-CVE-2021-29543 CVE-2021-29545-to-CVE-2021-29547 CVE-2021-29549 CVE-2021-29550 CVE-2021-29552-to-CVE-2021-29559 CVE-2021-29561-to-CVE-2021-29564 CVE-2021-29567-to-CVE-2021-29570 CVE-2021-29572-to-CVE-2021-29582 CVE-2021-29585-to-CVE-2021-29588 CVE-2021-29590-to-CVE-2021-29593 CVE-2021-29596-to-CVE-2021-29601 CVE-2021-29603 CVE-2021-29605-to-CVE-2021-29609 CVE-2021-29613 CVE-2021-29615-to-CVE-2021-29617 CVE-2021-29619 CVE-2021-37637-to-CVE-2021-37639 CVE-2021-37641 CVE-2021-37644 CVE-2021-37646-to-CVE-2021-37649 CVE-2021-37652 CVE-2021-37656 CVE-2021-37659 CVE-2021-37660 CVE-2021-37663 CVE-2021-37667 CVE-2021-37670-to-CVE-2021-37673 CVE-2021-37676 CVE-2021-37677 CVE-2021-37680 CVE-2021-37682 CVE-2021-37685 CVE-2021-37687-to-CVE-2021-37689 2021-08-26 16:45:57 +08:00			`From f851613f8f0fb0c838d160ced13c134f778e3ce7 Mon Sep 17 00:00:00 2001`
			`From: Mihai Maruseac <mihaimaruseac@google.com>`
			`Date: Wed, 21 Apr 2021 16:20:48 -0700`
			`Subject: [PATCH] Fix heap buffer overflow caused by rounding.`

			`This was hard to fix. Due to the way we compute the pixels that influence an output pixel in resized images, for certain input configuration we might have issued a read to a pixel that is outside of boundary of the original image. This is because of floating errors that affected truncation results.`

			`PiperOrigin-RevId: 369757871`
			`Change-Id: If89425fff930983829a2168203c11858883eebc9`
			`---`
			`tensorflow/core/kernels/quantized_resize_bilinear_op.cc \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc b/tensorflow/core/kernels/quantized_resize_bilinear_op.cc`
			`index 07453c7e73284..2fd807f6df961 100644`
			`--- a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc`
			`+++ b/tensorflow/core/kernels/quantized_resize_bilinear_op.cc`
			`@@ -64,6 +64,8 @@ inline void ComputeInterpolationWeights(`
			`std::max(static_cast<int64>(in_f), static_cast<int64>(0));`
			`interpolation->upper[i] =`
			`std::min(static_cast<int64>(std::ceil(in)), in_size - 1);`
			`+ interpolation->lower[i] =`
			`+ std::min(interpolation->lower[i], interpolation->upper[i]);`
			`interpolation->lerp[i] = in - in_f;`
			`interpolation->ilerp[i] =`
			`static_cast<T_SCALE>((in - in_f) * (1 << resolution));`