Skip to content
Permalink
Browse files Browse the repository at this point in the history
FIX Prevents segfault in SVC when internals are altered (#21336)
Co-authored-by: Guillaume Lemaitre <g.lemaitre58@gmail.com>
Co-authored-by: Jérémie du Boisberranger <34657725+jeremiedbb@users.noreply.github.com>
Co-authored-by: Olivier Grisel <olivier.grisel@gmail.com>
  • Loading branch information
4 people committed Oct 20, 2021
1 parent f3f04ed commit 1bf13d5
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 0 deletions.
9 changes: 9 additions & 0 deletions doc/whats_new/v1.0.rst
Expand Up @@ -67,6 +67,15 @@ Fixed models
names out from one step of a pipeline to the next. :pr:`21351` by
`Thomas Fan`_.

:mod:`sklearn.svm`
..................

- |Fix| :class:`svm.SVC` and :class:`svm.SVR` check for an inconsistency
in its internal representation and raise an error instead of segfaulting.
This fix also resolves
`CVE-2020-28975 <https://nvd.nist.gov/vuln/detail/CVE-2020-28975>`__.
:pr:`21336` by `Thomas Fan`_.

.. _changes_1_0:

Version 1.0.0
Expand Down
7 changes: 7 additions & 0 deletions sklearn/svm/_base.py
Expand Up @@ -616,6 +616,13 @@ def _validate_for_predict(self, X):
"the number of samples at training time"
% (X.shape[1], self.shape_fit_[0])
)
# Fixes https://nvd.nist.gov/vuln/detail/CVE-2020-28975
# Check that _n_support is consistent with support_vectors
sv = self.support_vectors_
if not self._sparse and sv.size > 0 and self.n_support_.sum() != sv.shape[0]:
raise ValueError(
f"The internal representation of {self.__class__.__name__} was altered"
)
return X

@property
Expand Down
13 changes: 13 additions & 0 deletions sklearn/svm/tests/test_svm.py
Expand Up @@ -1371,3 +1371,16 @@ def string_kernel(X1, X2):
else: # regressor
assert_allclose(svc1.predict(data), svc2.predict(X))
assert_allclose(svc1.predict(data), svc3.predict(K))


def test_svc_raises_error_internal_representation():
"""Check that SVC raises error when internal representation is altered.
Non-regression test for #18891 and https://nvd.nist.gov/vuln/detail/CVE-2020-28975
"""
clf = svm.SVC(kernel="linear").fit(X, Y)
clf._n_support[0] = 1000000

msg = "The internal representation of SVC was altered"
with pytest.raises(ValueError, match=msg):
clf.predict(X)

0 comments on commit 1bf13d5

Please sign in to comment.