CVE-2020-15207: Improper Restriction of Operations within the Bounds of a Memory Buffer
(updated )
In tensorflow-lite, to mimic Python’s indexing with negative values, TFLite uses ResolveAxis
to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the DCHECK
does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out-of-bounds which results in segfaults and/or
data corruption.
References
Detect and mitigate CVE-2020-15207 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →