Skip to content
Permalink
Browse files Browse the repository at this point in the history
[tflite] Ensure MatchingDim does not allow buffer overflow.
We check in `MatchingDim` that both arguments have the same dimensionality, however that is a `DCHECK` only enabled if building in debug mode. Hence, it could be possible to cause buffer overflows by passing in a tensor with larger dimensions as the second argument. To fix, we now make `MatchingDim` return the minimum of the two sizes.

A much better fix would be to return a status object but that requires refactoring a large part of the codebase for minor benefits.

PiperOrigin-RevId: 332526127
Change-Id: If627d0d2c80a685217b6e0d1e64b0872dbf1c5e4
  • Loading branch information
mihaimaruseac authored and tensorflower-gardener committed Sep 18, 2020
1 parent 0b5662b commit 8ee24e7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion tensorflow/lite/kernels/internal/types.h
Expand Up @@ -438,7 +438,7 @@ int MatchingArraySize(const ArrayType1& array1, int index1,
inline int MatchingDim(const RuntimeShape& shape1, int index1,
const RuntimeShape& shape2, int index2) {
TFLITE_DCHECK_EQ(shape1.Dims(index1), shape2.Dims(index2));
return shape1.Dims(index1);
return std::min(shape1.Dims(index1), shape2.Dims(index2));
}

template <typename... Args>
Expand Down

0 comments on commit 8ee24e7

Please sign in to comment.