CVE-2021-29542: Incorrect Calculation of Buffer Size
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow by passing crafted inputs to tf.raw_ops.StringNGrams
. This is because the implementation fails to consider corner cases where input would be split in such a way that the generated tokens should only contain padding elements. If input is such that num_tokens
is 0, then, for data_start_index=0
, the marked line would result in reading `data-1 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
References
Detect and mitigate CVE-2021-29542 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →