Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

TFSA-2018-002: GIF File Parsing Null Pointer Dereference Error

CVE Number


Issue Description

When parsing certain invalid GIF files, an internal function in the GIF decoder returned a null pointer, which was subsequently used as an argument to strcat.


A maliciously crafted GIF could be used to cause the TensorFlow process to crash.

Vulnerable Versions

TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1 1.4.1, 1.5.0, 1.5.1


We have patched the vulnerability in GitHub commit c4843158. If users are running TensorFlow in production or on untrusted data, they are encouraged to apply this patch.

Additionally, this patch has already been integrated into TensorFlow 1.6.0 and newer.


This issue was discovered by the Blade Team of Tencent.