tensorflow/CVE-2021-29586.patch

From 5f7975d09eac0f10ed8a17dbb6f5964977725adc Mon Sep 17 00:00:00 2001
From: Mihai Maruseac <mihaimaruseac@google.com>
Date: Tue, 27 Apr 2021 17:45:43 -0700
Subject: [PATCH] Prevent another div by 0 in optimized pooling implementations
 TFLite

PiperOrigin-RevId: 370800091
Change-Id: I2119352f57fb5ca4f2051e0e2d749403304a979b
---
 tensorflow/lite/kernels/pooling.cc      |  4 ++++
 tensorflow/lite/kernels/pooling_test.cc | 13 +++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/tensorflow/lite/kernels/pooling.cc b/tensorflow/lite/kernels/pooling.cc
index 1ae3d207b135e..474bd3825f4ff 100644
--- a/tensorflow/lite/kernels/pooling.cc
+++ b/tensorflow/lite/kernels/pooling.cc
@@ -87,6 +87,10 @@ TfLiteStatus GenericPrepare(TfLiteContext* context, TfLiteNode* node) {
   auto padding = params->padding;
   int out_width, out_height;
 
+  // Prevent division by 0 in optimized pooling implementations
+  TF_LITE_ENSURE(context, params->stride_height > 0);
+  TF_LITE_ENSURE(context, params->stride_width > 0);
+
   data->padding = ComputePaddingHeightWidth(
       params->stride_height, params->stride_width, 1, 1, height, width,
       params->filter_height, params->filter_width, padding, &out_height,
diff --git a/tensorflow/lite/kernels/pooling_test.cc b/tensorflow/lite/kernels/pooling_test.cc
index e614fedccfd50..108195388141d 100644
--- a/tensorflow/lite/kernels/pooling_test.cc
+++ b/tensorflow/lite/kernels/pooling_test.cc
@@ -1151,5 +1151,18 @@ TEST(FloatPoolingOpTest, L2PoolPaddingValidSlide1) {
   EXPECT_THAT(m.GetOutput(), ElementsAreArray({3.5, 6.0, 6.5}));
 }
 
+#ifdef GTEST_HAS_DEATH_TEST
+TEST(FloatPoolingOpTest, MaxPoolWithZeroStride) {
+  EXPECT_DEATH(
+      FloatPoolingOpModel m(BuiltinOperator_MAX_POOL_2D,
+                            /*input=*/{TensorType_FLOAT32, {1, 2, 4, 1}},
+                            /*filter_width=*/2, /*filter_height=*/2,
+                            /*output=*/{TensorType_FLOAT32, {}},
+                            /*padding=*/Padding_VALID,
+                            /*stride_w=*/0, /*stride_h=*/0),
+      "Cannot allocate tensors");
+}
+#endif
+
 }  // namespace
 }  // namespace tflite
fix CVE-2021-29512 CVE-2021-29514 CVE-2021-29519 CVE-2021-29520 CVE-2021-29522 CVE-2021-29524 CVE-2021-29527-to-CVE-2021-29530 CVE-2021-29532 CVE-2021-29536 CVE-2021-29539 CVE-2021-29541-to-CVE-2021-29543 CVE-2021-29545-to-CVE-2021-29547 CVE-2021-29549 CVE-2021-29550 CVE-2021-29552-to-CVE-2021-29559 CVE-2021-29561-to-CVE-2021-29564 CVE-2021-29567-to-CVE-2021-29570 CVE-2021-29572-to-CVE-2021-29582 CVE-2021-29585-to-CVE-2021-29588 CVE-2021-29590-to-CVE-2021-29593 CVE-2021-29596-to-CVE-2021-29601 CVE-2021-29603 CVE-2021-29605-to-CVE-2021-29609 CVE-2021-29613 CVE-2021-29615-to-CVE-2021-29617 CVE-2021-29619 CVE-2021-37637-to-CVE-2021-37639 CVE-2021-37641 CVE-2021-37644 CVE-2021-37646-to-CVE-2021-37649 CVE-2021-37652 CVE-2021-37656 CVE-2021-37659 CVE-2021-37660 CVE-2021-37663 CVE-2021-37667 CVE-2021-37670-to-CVE-2021-37673 CVE-2021-37676 CVE-2021-37677 CVE-2021-37680 CVE-2021-37682 CVE-2021-37685 CVE-2021-37687-to-CVE-2021-37689 2021-08-26 16:45:57 +08:00			`From 5f7975d09eac0f10ed8a17dbb6f5964977725adc Mon Sep 17 00:00:00 2001`
			`From: Mihai Maruseac <mihaimaruseac@google.com>`
			`Date: Tue, 27 Apr 2021 17:45:43 -0700`
			`Subject: [PATCH] Prevent another div by 0 in optimized pooling implementations`
			`TFLite`

			`PiperOrigin-RevId: 370800091`
			`Change-Id: I2119352f57fb5ca4f2051e0e2d749403304a979b`
			`---`
			`tensorflow/lite/kernels/pooling.cc \| 4 ++++`
			`tensorflow/lite/kernels/pooling_test.cc \| 13 +++++++++++++`
			`2 files changed, 17 insertions(+)`

			`diff --git a/tensorflow/lite/kernels/pooling.cc b/tensorflow/lite/kernels/pooling.cc`
			`index 1ae3d207b135e..474bd3825f4ff 100644`
			`--- a/tensorflow/lite/kernels/pooling.cc`
			`+++ b/tensorflow/lite/kernels/pooling.cc`
			`@@ -87,6 +87,10 @@ TfLiteStatus GenericPrepare(TfLiteContext* context, TfLiteNode* node) {`
			`auto padding = params->padding;`
			`int out_width, out_height;`

			`+ // Prevent division by 0 in optimized pooling implementations`
			`+ TF_LITE_ENSURE(context, params->stride_height > 0);`
			`+ TF_LITE_ENSURE(context, params->stride_width > 0);`
			`+`
			`data->padding = ComputePaddingHeightWidth(`
			`params->stride_height, params->stride_width, 1, 1, height, width,`
			`params->filter_height, params->filter_width, padding, &out_height,`
			`diff --git a/tensorflow/lite/kernels/pooling_test.cc b/tensorflow/lite/kernels/pooling_test.cc`
			`index e614fedccfd50..108195388141d 100644`
			`--- a/tensorflow/lite/kernels/pooling_test.cc`
			`+++ b/tensorflow/lite/kernels/pooling_test.cc`
			`@@ -1151,5 +1151,18 @@ TEST(FloatPoolingOpTest, L2PoolPaddingValidSlide1) {`
			`EXPECT_THAT(m.GetOutput(), ElementsAreArray({3.5, 6.0, 6.5}));`
			`}`

			`+#ifdef GTEST_HAS_DEATH_TEST`
			`+TEST(FloatPoolingOpTest, MaxPoolWithZeroStride) {`
			`+ EXPECT_DEATH(`
			`+ FloatPoolingOpModel m(BuiltinOperator_MAX_POOL_2D,`
			`+ /input=/{TensorType_FLOAT32, {1, 2, 4, 1}},`
			`+ /filter_width=/2, /filter_height=/2,`
			`+ /output=/{TensorType_FLOAT32, {}},`
			`+ /padding=/Padding_VALID,`
			`+ /stride_w=/0, /stride_h=/0),`
			`+ "Cannot allocate tensors");`
			`+}`
			`+#endif`
			`+`
			`} // namespace`
			`} // namespace tflite`