tensorflow/CVE-2020-15266.patch

From 3ade2efec2e90c6237de32a19680caaa3ebc2845 Mon Sep 17 00:00:00 2001
From: Yong Tang <yong.tang.github@outlook.com>
Date: Sat, 8 Aug 2020 00:47:35 +0000
Subject: [PATCH] Fix segmentation fault in tf.image.crop_and_resize when boxes

---
 tensorflow/core/kernels/crop_and_resize_op.cc | 13 +++++++++++++
 tensorflow/python/ops/image_ops_test.py       | 12 ++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/tensorflow/core/kernels/crop_and_resize_op.cc b/tensorflow/core/kernels/crop_and_resize_op.cc
index 4ecd3bc0..e14f4e43 100644
--- a/tensorflow/core/kernels/crop_and_resize_op.cc
+++ b/tensorflow/core/kernels/crop_and_resize_op.cc
@@ -71,6 +71,18 @@ static inline Status ParseAndCheckBoxSizes(const Tensor& boxes,
   if (boxes.dim_size(1) != 4) {
     return errors::InvalidArgument("boxes must have 4 columns");
   }
+  for (int64 i = 0; i < *num_boxes; i++) {
+    for (int64 j = 0; j < 4; j++) {
+      if (!isfinite(boxes.tensor<float, 2>()(i, j))) {
+	return errors::InvalidArgument(
+	    "boxes values must be finite, received boxes[", i, "]: ",
+	    boxes.tensor<float, 2>()(i, 0), ", ",
+	    boxes.tensor<float, 2>()(i, 1), ", ",
+	    boxes.tensor<float, 2>()(i, 2), ", ",
+	    boxes.tensor<float, 2>()(i, 3));
+      }
+    }
+  }
   // The shape of 'box_index' is [num_boxes].
   if (box_index.dims() != 1) {
     return errors::InvalidArgument("box_index must be 1-D",
@@ -256,6 +268,7 @@ struct CropAndResize<CPUDevice, T> {
             continue;
           }
           if (method_name == "bilinear") {
+
             const int top_y_index = floorf(in_y);
             const int bottom_y_index = ceilf(in_y);
             const float y_lerp = in_y - top_y_index;
diff --git a/tensorflow/python/ops/image_ops_test.py b/tensorflow/python/ops/image_ops_test.py
index 0206ccf9..0630b6fc 100644
--- a/tensorflow/python/ops/image_ops_test.py
+++ b/tensorflow/python/ops/image_ops_test.py
@@ -5275,6 +5275,18 @@ class DecodeImageTest(test_util.TensorFlowTestCase):
       self.assertAllEqual(list(image0.shape), [40, 20, 3])
       self.assertAllEqual(image0, image1)
 
+  def testImageCropAndResize(self):
+    # Test case for GitHub issue 42129
+    message = "boxes values must be finite"
+    with self.assertRaisesRegex(
+        (errors.InvalidArgumentError, ValueError), message):
+      v = image_ops_impl.crop_and_resize_v2(
+          image=array_ops.zeros((2, 1, 1, 1)),
+          boxes=[[1.0e+40, 0, 0, 0]],
+          box_indices=[1],
+          crop_size=[1, 1])
+      self.evaluate(v)
+
 
 if __name__ == "__main__":
   googletest.main()
-- 
2.23.0
fix the cves to tensorflow 2021-08-31 15:06:16 +08:00			`From 3ade2efec2e90c6237de32a19680caaa3ebc2845 Mon Sep 17 00:00:00 2001`
			`From: Yong Tang <yong.tang.github@outlook.com>`
			`Date: Sat, 8 Aug 2020 00:47:35 +0000`
			`Subject: [PATCH] Fix segmentation fault in tf.image.crop_and_resize when boxes`

			`---`
			`tensorflow/core/kernels/crop_and_resize_op.cc \| 13 +++++++++++++`
			`tensorflow/python/ops/image_ops_test.py \| 12 ++++++++++++`
			`2 files changed, 25 insertions(+)`

			`diff --git a/tensorflow/core/kernels/crop_and_resize_op.cc b/tensorflow/core/kernels/crop_and_resize_op.cc`
			`index 4ecd3bc0..e14f4e43 100644`
			`--- a/tensorflow/core/kernels/crop_and_resize_op.cc`
			`+++ b/tensorflow/core/kernels/crop_and_resize_op.cc`
			`@@ -71,6 +71,18 @@ static inline Status ParseAndCheckBoxSizes(const Tensor& boxes,`
			`if (boxes.dim_size(1) != 4) {`
			`return errors::InvalidArgument("boxes must have 4 columns");`
			`}`
			`+ for (int64 i = 0; i < *num_boxes; i++) {`
			`+ for (int64 j = 0; j < 4; j++) {`
			`+ if (!isfinite(boxes.tensor<float, 2>()(i, j))) {`
			`+ return errors::InvalidArgument(`
			`+ "boxes values must be finite, received boxes[", i, "]: ",`
			`+ boxes.tensor<float, 2>()(i, 0), ", ",`
			`+ boxes.tensor<float, 2>()(i, 1), ", ",`
			`+ boxes.tensor<float, 2>()(i, 2), ", ",`
			`+ boxes.tensor<float, 2>()(i, 3));`
			`+ }`
			`+ }`
			`+ }`
			`// The shape of 'box_index' is [num_boxes].`
			`if (box_index.dims() != 1) {`
			`return errors::InvalidArgument("box_index must be 1-D",`
			`@@ -256,6 +268,7 @@ struct CropAndResize<CPUDevice, T> {`
			`continue;`
			`}`
			`if (method_name == "bilinear") {`
			`+`
			`const int top_y_index = floorf(in_y);`
			`const int bottom_y_index = ceilf(in_y);`
			`const float y_lerp = in_y - top_y_index;`
			`diff --git a/tensorflow/python/ops/image_ops_test.py b/tensorflow/python/ops/image_ops_test.py`
			`index 0206ccf9..0630b6fc 100644`
			`--- a/tensorflow/python/ops/image_ops_test.py`
			`+++ b/tensorflow/python/ops/image_ops_test.py`
			`@@ -5275,6 +5275,18 @@ class DecodeImageTest(test_util.TensorFlowTestCase):`
			`self.assertAllEqual(list(image0.shape), [40, 20, 3])`
			`self.assertAllEqual(image0, image1)`

			`+ def testImageCropAndResize(self):`
			`+ # Test case for GitHub issue 42129`
			`+ message = "boxes values must be finite"`
			`+ with self.assertRaisesRegex(`
			`+ (errors.InvalidArgumentError, ValueError), message):`
			`+ v = image_ops_impl.crop_and_resize_v2(`
			`+ image=array_ops.zeros((2, 1, 1, 1)),`
			`+ boxes=[[1.0e+40, 0, 0, 0]],`
			`+ box_indices=[1],`
			`+ crop_size=[1, 1])`
			`+ self.evaluate(v)`
			`+`

			`if __name__ == "__main__":`
			`googletest.main()`
			`--`
			`2.23.0`