CVE-2022-23585: Memory leak in decoding PNG images
(updated )
When decoding PNG images TensorFlow can produce a memory leak if the image is invalid.
After calling png::CommonInitDecode(..., &decode)
, the decode
value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode)
. However, several error case in the function implementation invoke the OP_REQUIRES
macro which immediately terminates the execution of the function, without allowing for the memory free to occur.
References
- github.com/advisories/GHSA-fq6p-6334-8gr4
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-94.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-149.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc
- github.com/tensorflow/tensorflow/commit/ab51e5b813573dc9f51efa335aebcf2994125ee9
- github.com/tensorflow/tensorflow/security/advisories/GHSA-fq6p-6334-8gr4
- nvd.nist.gov/vuln/detail/CVE-2022-23585
Detect and mitigate CVE-2022-23585 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →