tensorflow/CVE-2021-29605.patch

From 7c8cc4ec69cd348e44ad6a2699057ca88faad3e5 Mon Sep 17 00:00:00 2001
From: Mihai Maruseac <mihaimaruseac@google.com>
Date: Thu, 29 Apr 2021 19:43:09 -0700
Subject: [PATCH] Fix a dangerous integer overflow and a malloc of negative
 size.

PiperOrigin-RevId: 371254154
Change-Id: I250a98a3df26328770167025670235a963a72da0
---
 tensorflow/lite/c/common.c                         | 6 ++++--
 tensorflow/lite/kernels/embedding_lookup_sparse.cc | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/tensorflow/lite/c/common.c b/tensorflow/lite/c/common.c
index aaa98a98ebe69..00dd0260cbcc9 100644
--- a/tensorflow/lite/c/common.c
+++ b/tensorflow/lite/c/common.c
@@ -45,8 +45,10 @@ int TfLiteIntArrayEqualsArray(const TfLiteIntArray* a, int b_size,
 #ifndef TF_LITE_STATIC_MEMORY
 
 TfLiteIntArray* TfLiteIntArrayCreate(int size) {
-  TfLiteIntArray* ret =
-      (TfLiteIntArray*)malloc(TfLiteIntArrayGetSizeInBytes(size));
+  int alloc_size = TfLiteIntArrayGetSizeInBytes(size);
+  if (alloc_size <= 0) return NULL;
+  TfLiteIntArray* ret = (TfLiteIntArray*)malloc(alloc_size);
+  if (!ret) return ret;
   ret->size = size;
   return ret;
 }
diff --git a/tensorflow/lite/kernels/embedding_lookup_sparse.cc b/tensorflow/lite/kernels/embedding_lookup_sparse.cc
index e9ad7e50cf133..4ad1054340c9c 100644
--- a/tensorflow/lite/kernels/embedding_lookup_sparse.cc
+++ b/tensorflow/lite/kernels/embedding_lookup_sparse.cc
@@ -173,6 +173,7 @@ TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {
 
   // Resize output tensor.
   TfLiteIntArray* output_shape = TfLiteIntArrayCreate(output_rank);
+  TF_LITE_ENSURE(context, output_shape != nullptr);
   int k = 0;
   int embedding_size = 1;
   int lookup_size = 1;
fix CVE-2021-29512 CVE-2021-29514 CVE-2021-29519 CVE-2021-29520 CVE-2021-29522 CVE-2021-29524 CVE-2021-29527-to-CVE-2021-29530 CVE-2021-29532 CVE-2021-29536 CVE-2021-29539 CVE-2021-29541-to-CVE-2021-29543 CVE-2021-29545-to-CVE-2021-29547 CVE-2021-29549 CVE-2021-29550 CVE-2021-29552-to-CVE-2021-29559 CVE-2021-29561-to-CVE-2021-29564 CVE-2021-29567-to-CVE-2021-29570 CVE-2021-29572-to-CVE-2021-29582 CVE-2021-29585-to-CVE-2021-29588 CVE-2021-29590-to-CVE-2021-29593 CVE-2021-29596-to-CVE-2021-29601 CVE-2021-29603 CVE-2021-29605-to-CVE-2021-29609 CVE-2021-29613 CVE-2021-29615-to-CVE-2021-29617 CVE-2021-29619 CVE-2021-37637-to-CVE-2021-37639 CVE-2021-37641 CVE-2021-37644 CVE-2021-37646-to-CVE-2021-37649 CVE-2021-37652 CVE-2021-37656 CVE-2021-37659 CVE-2021-37660 CVE-2021-37663 CVE-2021-37667 CVE-2021-37670-to-CVE-2021-37673 CVE-2021-37676 CVE-2021-37677 CVE-2021-37680 CVE-2021-37682 CVE-2021-37685 CVE-2021-37687-to-CVE-2021-37689 2021-08-26 16:45:57 +08:00			`From 7c8cc4ec69cd348e44ad6a2699057ca88faad3e5 Mon Sep 17 00:00:00 2001`
			`From: Mihai Maruseac <mihaimaruseac@google.com>`
			`Date: Thu, 29 Apr 2021 19:43:09 -0700`
			`Subject: [PATCH] Fix a dangerous integer overflow and a malloc of negative`
			`size.`

			`PiperOrigin-RevId: 371254154`
			`Change-Id: I250a98a3df26328770167025670235a963a72da0`
			`---`
			`tensorflow/lite/c/common.c \| 6 ++++--`
			`tensorflow/lite/kernels/embedding_lookup_sparse.cc \| 1 +`
			`2 files changed, 5 insertions(+), 2 deletions(-)`

			`diff --git a/tensorflow/lite/c/common.c b/tensorflow/lite/c/common.c`
			`index aaa98a98ebe69..00dd0260cbcc9 100644`
			`--- a/tensorflow/lite/c/common.c`
			`+++ b/tensorflow/lite/c/common.c`
			`@@ -45,8 +45,10 @@ int TfLiteIntArrayEqualsArray(const TfLiteIntArray* a, int b_size,`
			`#ifndef TF_LITE_STATIC_MEMORY`

			`TfLiteIntArray* TfLiteIntArrayCreate(int size) {`
			`- TfLiteIntArray* ret =`
			`- (TfLiteIntArray*)malloc(TfLiteIntArrayGetSizeInBytes(size));`
			`+ int alloc_size = TfLiteIntArrayGetSizeInBytes(size);`
			`+ if (alloc_size <= 0) return NULL;`
			`+ TfLiteIntArray* ret = (TfLiteIntArray*)malloc(alloc_size);`
			`+ if (!ret) return ret;`
			`ret->size = size;`
			`return ret;`
			`}`
			`diff --git a/tensorflow/lite/kernels/embedding_lookup_sparse.cc b/tensorflow/lite/kernels/embedding_lookup_sparse.cc`
			`index e9ad7e50cf133..4ad1054340c9c 100644`
			`--- a/tensorflow/lite/kernels/embedding_lookup_sparse.cc`
			`+++ b/tensorflow/lite/kernels/embedding_lookup_sparse.cc`
			`@@ -173,6 +173,7 @@ TfLiteStatus Eval(TfLiteContext* context, TfLiteNode* node) {`

			`// Resize output tensor.`
			`TfLiteIntArray* output_shape = TfLiteIntArrayCreate(output_rank);`
			`+ TF_LITE_ENSURE(context, output_shape != nullptr);`
			`int k = 0;`
			`int embedding_size = 1;`
			`int lookup_size = 1;`