Skip to content

Commit

Permalink
Prevent use after free in DecodePng kernel.
Browse files Browse the repository at this point in the history 
We are cleaning up the memory in `decode` and then we are using an `OP_REQUIRES` to check an invariant on the `decode` data.

PiperOrigin-RevId: 409299145
Change-Id: I4eb93aaca52483eb202e89b78df07fbb2f6cb254
  • Loading branch information
@mihaimaruseac @tensorflower-gardener
mihaimaruseac authored and tensorflower-gardener committed Nov 12, 2021
1 parent 3098fd9 commit e746adb
Showing 1 changed file with 0 additions and 1 deletion.
1 change: 0 additions & 1 deletion tensorflow/core/kernels/image/decode_image_op.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,7 +339,6 @@ class DecodeImageV2Op : public OpKernel {
if (width != static_cast<int64_t>(decode.width) || width <= 0 ||
width >= (1LL << 27) || height != static_cast<int64_t>(decode.height) ||
height <= 0 || height >= (1LL << 27) || total_size >= (1LL << 29)) {
png::CommonFreeDecode(&decode);
OP_REQUIRES(context, false,
errors::InvalidArgument("PNG size too large for int: ",
decode.width, " by ", decode.height));
Expand Down

0 comments on commit e746adb

Please sign in to comment.