tensorflow/CVE-2021-37682-1.patch

From 8933b8a21280696ab119b63263babdb54c298538 Mon Sep 17 00:00:00 2001
From: Mihai Maruseac <mihaimaruseac@google.com>
Date: Fri, 16 Jul 2021 10:22:37 -0700
Subject: [PATCH] Fix a null pointer exception caused by branching on
 uninitialized data.

This is due to not checking that the params for the quantization exists. If there is no quantization, we should not access the `.params` field.

PiperOrigin-RevId: 385173491
Change-Id: I8fc476c4b274fdb21ba741caa0fbc6d1b8840663
---
 tensorflow/lite/kernels/depthwise_conv.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tensorflow/lite/kernels/depthwise_conv.cc b/tensorflow/lite/kernels/depthwise_conv.cc
index c19e01cf33bca..060b0827dafa7 100644
--- a/tensorflow/lite/kernels/depthwise_conv.cc
+++ b/tensorflow/lite/kernels/depthwise_conv.cc
@@ -176,6 +176,7 @@ TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {
   if (data_type != kTfLiteFloat32) {
     TF_LITE_ENSURE_EQ(context, filter->quantization.type,
                       kTfLiteAffineQuantization);
+    TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);
     const auto* affine_quantization =
         reinterpret_cast<TfLiteAffineQuantization*>(
             filter->quantization.params);
@@ -195,6 +196,7 @@ TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {
   }
 
   if (is_hybrid) {
+    TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);
     const auto* affine_quantization =
         reinterpret_cast<TfLiteAffineQuantization*>(
             filter->quantization.params);
@@ -495,6 +497,7 @@ TfLiteStatus EvalHybridPerChannel(TfLiteContext* context, TfLiteNode* node,
   op_params.weights_offset = 0;
   op_params.float_activation_min = output_activation_min;
   op_params.float_activation_max = output_activation_max;
+  TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);
   const auto* affine_quantization =
       reinterpret_cast<TfLiteAffineQuantization*>(filter->quantization.params);
   if (kernel_type == kReference) {
fix CVE-2021-29512 CVE-2021-29514 CVE-2021-29519 CVE-2021-29520 CVE-2021-29522 CVE-2021-29524 CVE-2021-29527-to-CVE-2021-29530 CVE-2021-29532 CVE-2021-29536 CVE-2021-29539 CVE-2021-29541-to-CVE-2021-29543 CVE-2021-29545-to-CVE-2021-29547 CVE-2021-29549 CVE-2021-29550 CVE-2021-29552-to-CVE-2021-29559 CVE-2021-29561-to-CVE-2021-29564 CVE-2021-29567-to-CVE-2021-29570 CVE-2021-29572-to-CVE-2021-29582 CVE-2021-29585-to-CVE-2021-29588 CVE-2021-29590-to-CVE-2021-29593 CVE-2021-29596-to-CVE-2021-29601 CVE-2021-29603 CVE-2021-29605-to-CVE-2021-29609 CVE-2021-29613 CVE-2021-29615-to-CVE-2021-29617 CVE-2021-29619 CVE-2021-37637-to-CVE-2021-37639 CVE-2021-37641 CVE-2021-37644 CVE-2021-37646-to-CVE-2021-37649 CVE-2021-37652 CVE-2021-37656 CVE-2021-37659 CVE-2021-37660 CVE-2021-37663 CVE-2021-37667 CVE-2021-37670-to-CVE-2021-37673 CVE-2021-37676 CVE-2021-37677 CVE-2021-37680 CVE-2021-37682 CVE-2021-37685 CVE-2021-37687-to-CVE-2021-37689 2021-08-26 16:45:57 +08:00			`From 8933b8a21280696ab119b63263babdb54c298538 Mon Sep 17 00:00:00 2001`
			`From: Mihai Maruseac <mihaimaruseac@google.com>`
			`Date: Fri, 16 Jul 2021 10:22:37 -0700`
			`Subject: [PATCH] Fix a null pointer exception caused by branching on`
			`uninitialized data.`

			This is due to not checking that the params for the quantization exists. If there is no quantization, we should not access the `.params` field.

			`PiperOrigin-RevId: 385173491`
			`Change-Id: I8fc476c4b274fdb21ba741caa0fbc6d1b8840663`
			`---`
			`tensorflow/lite/kernels/depthwise_conv.cc \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/tensorflow/lite/kernels/depthwise_conv.cc b/tensorflow/lite/kernels/depthwise_conv.cc`
			`index c19e01cf33bca..060b0827dafa7 100644`
			`--- a/tensorflow/lite/kernels/depthwise_conv.cc`
			`+++ b/tensorflow/lite/kernels/depthwise_conv.cc`
			`@@ -176,6 +176,7 @@ TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {`
			`if (data_type != kTfLiteFloat32) {`
			`TF_LITE_ENSURE_EQ(context, filter->quantization.type,`
			`kTfLiteAffineQuantization);`
			`+ TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);`
			`const auto* affine_quantization =`
			`reinterpret_cast<TfLiteAffineQuantization*>(`
			`filter->quantization.params);`
			`@@ -195,6 +196,7 @@ TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {`
			`}`

			`if (is_hybrid) {`
			`+ TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);`
			`const auto* affine_quantization =`
			`reinterpret_cast<TfLiteAffineQuantization*>(`
			`filter->quantization.params);`
			`@@ -495,6 +497,7 @@ TfLiteStatus EvalHybridPerChannel(TfLiteContext* context, TfLiteNode* node,`
			`op_params.weights_offset = 0;`
			`op_params.float_activation_min = output_activation_min;`
			`op_params.float_activation_max = output_activation_max;`
			`+ TF_LITE_ENSURE(context, filter->quantization.type != kTfLiteNoQuantization);`
			`const auto* affine_quantization =`
			`reinterpret_cast<TfLiteAffineQuantization*>(filter->quantization.params);`
			`if (kernel_type == kReference) {`