CVE-2021-37645: Incorrect Conversion between Numeric Types
(updated )
TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.raw_ops.QuantizeAndDequantizeV4Grad
is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The implementation uses the axis
value as the size argument to absl::InlinedVector
constructor. But, the constructor uses an unsigned type for the argument, so the implicit conversion transforms the negative value to a large integer.
References
Detect and mitigate CVE-2021-37645 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →