CVE-2021-29606: Heap OOB read in TFLite
(updated )
A specially crafted TFLite model could trigger an OOB read on heap in the TFLite implementation of Split_V
:
const int input_size = SizeOfDimension(input, axis_value);
If axis_value
is not a value between 0 and NumDimensions(input)
, then the SizeOfDimension
function will access data outside the bounds of the tensor shape array:
inline int SizeOfDimension(const TfLiteTensor* t, int dim) {
return t->dims->data[dim];
}
References
- github.com/advisories/GHSA-h4pc-gx2w-f2xv
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/c59c37e7b2d563967da813fa50fe20b21f4da683/tensorflow/lite/kernels/split_v.cc
- github.com/tensorflow/tensorflow/commit/ae2daeb45abfe2c6dda539cf8d0d6f653d3ef412
- github.com/tensorflow/tensorflow/security/advisories/GHSA-h4pc-gx2w-f2xv
- nvd.nist.gov/vuln/detail/CVE-2021-29606
Detect and mitigate CVE-2021-29606 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →