tensorflow/CVE-2021-37682-2.patch

From 537bc7c723439b9194a358f64d871dd326c18887 Mon Sep 17 00:00:00 2001
From: Mihai Maruseac <mihaimaruseac@google.com>
Date: Fri, 16 Jul 2021 09:35:48 -0700
Subject: [PATCH] Fix a null pointer exception caused by branching on
 uninitialized data.

This is due to not checking that the params for the quantization exists. If there is no quantization, we should not access the `.params` field.

PiperOrigin-RevId: 385163909
Change-Id: I2beb8d50649b6542db224c163033fbcbaa49314f
---
 tensorflow/lite/kernels/svdf.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tensorflow/lite/kernels/svdf.cc b/tensorflow/lite/kernels/svdf.cc
index 6c02508e26b1d..41a71c54a8c92 100644
--- a/tensorflow/lite/kernels/svdf.cc
+++ b/tensorflow/lite/kernels/svdf.cc
@@ -256,14 +256,21 @@ TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {
                                                      output_temp_size_array));
 
     // Calculate effective scales.
+    TF_LITE_ENSURE(context, input->quantization.type != kTfLiteNoQuantization);
     auto* input_params =
         reinterpret_cast<TfLiteAffineQuantization*>(input->quantization.params);
+    TF_LITE_ENSURE(context,
+                   weights_feature->quantization.type != kTfLiteNoQuantization);
     auto* weights_feature_params = reinterpret_cast<TfLiteAffineQuantization*>(
         weights_feature->quantization.params);
+    TF_LITE_ENSURE(context, state->quantization.type != kTfLiteNoQuantization);
     auto* state_params =
         reinterpret_cast<TfLiteAffineQuantization*>(state->quantization.params);
+    TF_LITE_ENSURE(context,
+                   weights_time->quantization.type != kTfLiteNoQuantization);
     auto* weight_time_params = reinterpret_cast<TfLiteAffineQuantization*>(
         weights_time->quantization.params);
+    TF_LITE_ENSURE(context, output->quantization.type != kTfLiteNoQuantization);
     auto* output_params = reinterpret_cast<TfLiteAffineQuantization*>(
         output->quantization.params);
     const double effective_scale_1 = input_params->scale->data[0] *
fix CVE-2021-29512 CVE-2021-29514 CVE-2021-29519 CVE-2021-29520 CVE-2021-29522 CVE-2021-29524 CVE-2021-29527-to-CVE-2021-29530 CVE-2021-29532 CVE-2021-29536 CVE-2021-29539 CVE-2021-29541-to-CVE-2021-29543 CVE-2021-29545-to-CVE-2021-29547 CVE-2021-29549 CVE-2021-29550 CVE-2021-29552-to-CVE-2021-29559 CVE-2021-29561-to-CVE-2021-29564 CVE-2021-29567-to-CVE-2021-29570 CVE-2021-29572-to-CVE-2021-29582 CVE-2021-29585-to-CVE-2021-29588 CVE-2021-29590-to-CVE-2021-29593 CVE-2021-29596-to-CVE-2021-29601 CVE-2021-29603 CVE-2021-29605-to-CVE-2021-29609 CVE-2021-29613 CVE-2021-29615-to-CVE-2021-29617 CVE-2021-29619 CVE-2021-37637-to-CVE-2021-37639 CVE-2021-37641 CVE-2021-37644 CVE-2021-37646-to-CVE-2021-37649 CVE-2021-37652 CVE-2021-37656 CVE-2021-37659 CVE-2021-37660 CVE-2021-37663 CVE-2021-37667 CVE-2021-37670-to-CVE-2021-37673 CVE-2021-37676 CVE-2021-37677 CVE-2021-37680 CVE-2021-37682 CVE-2021-37685 CVE-2021-37687-to-CVE-2021-37689 2021-08-26 16:45:57 +08:00			`From 537bc7c723439b9194a358f64d871dd326c18887 Mon Sep 17 00:00:00 2001`
			`From: Mihai Maruseac <mihaimaruseac@google.com>`
			`Date: Fri, 16 Jul 2021 09:35:48 -0700`
			`Subject: [PATCH] Fix a null pointer exception caused by branching on`
			`uninitialized data.`

			This is due to not checking that the params for the quantization exists. If there is no quantization, we should not access the `.params` field.

			`PiperOrigin-RevId: 385163909`
			`Change-Id: I2beb8d50649b6542db224c163033fbcbaa49314f`
			`---`
			`tensorflow/lite/kernels/svdf.cc \| 7 +++++++`
			`1 file changed, 7 insertions(+)`

			`diff --git a/tensorflow/lite/kernels/svdf.cc b/tensorflow/lite/kernels/svdf.cc`
			`index 6c02508e26b1d..41a71c54a8c92 100644`
			`--- a/tensorflow/lite/kernels/svdf.cc`
			`+++ b/tensorflow/lite/kernels/svdf.cc`
			`@@ -256,14 +256,21 @@ TfLiteStatus Prepare(TfLiteContext* context, TfLiteNode* node) {`
			`output_temp_size_array));`

			`// Calculate effective scales.`
			`+ TF_LITE_ENSURE(context, input->quantization.type != kTfLiteNoQuantization);`
			`auto* input_params =`
			`reinterpret_cast<TfLiteAffineQuantization*>(input->quantization.params);`
			`+ TF_LITE_ENSURE(context,`
			`+ weights_feature->quantization.type != kTfLiteNoQuantization);`
			`auto* weights_feature_params = reinterpret_cast<TfLiteAffineQuantization*>(`
			`weights_feature->quantization.params);`
			`+ TF_LITE_ENSURE(context, state->quantization.type != kTfLiteNoQuantization);`
			`auto* state_params =`
			`reinterpret_cast<TfLiteAffineQuantization*>(state->quantization.params);`
			`+ TF_LITE_ENSURE(context,`
			`+ weights_time->quantization.type != kTfLiteNoQuantization);`
			`auto* weight_time_params = reinterpret_cast<TfLiteAffineQuantization*>(`
			`weights_time->quantization.params);`
			`+ TF_LITE_ENSURE(context, output->quantization.type != kTfLiteNoQuantization);`
			`auto* output_params = reinterpret_cast<TfLiteAffineQuantization*>(`
			`output->quantization.params);`
			`const double effective_scale_1 = input_params->scale->data[0] *`