Headline
CVE-2022-41896: Make MfccMelFilterbank fail initialization if num_channels is > max i… · tensorflow/tensorflow@39ec7ea
TensorFlow is an open source platform for machine learning. If ThreadUnsafeUnigramCandidateSampler is given input filterbank_channel_count greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
@@ -15,6 +15,7 @@ limitations under the License.
#include “tensorflow/core/kernels/mfcc_mel_filterbank.h”
#include <limits>
#include <vector>
#include “tensorflow/core/platform/test.h”
@@ -85,4 +86,37 @@ TEST(MfccMelFilterbankTest, IgnoresExistingContentOfOutputVector) {
}
}
TEST(MfccMelFilterbankTest, FailsWhenChannelsGreaterThanMaxIntValue) {
// Test for bug where vector throws a length_error when it suspects the size
// to be more than it’s max_size. For now, we fail initialization when the
// number of requested channels is >= the maximum value int can take (since
// num_channels_ is an int).
MfccMelFilterbank filterbank;
const int kSampleCount = 513;
std::size_t num_channels = std::numeric_limits<int>::max();
bool initialized = filterbank.Initialize(
kSampleCount, 2 /* sample rate */, num_channels /* channels */,
1.0 /* lower frequency limit */, 5.0 /* upper frequency limit */);
EXPECT_FALSE(initialized);
}
TEST(MfccMelFilterbankTest, FailsWhenChannelsGreaterThanMaxSize) {
// Test for bug where vector throws a length_error when it suspects the size
// to be more than it’s max_size. For now, we fail initialization when the
// number of requested channels is > than std::vector<double>::max_size().
MfccMelFilterbank filterbank;
const int kSampleCount = 513;
// Set num_channels to exceed the max_size a double vector can
// theoretically take.
std::size_t num_channels = std::vector<double>().max_size() + 1;
bool initialized = filterbank.Initialize(
kSampleCount, 2 /* sample rate */, num_channels /* channels */,
1.0 /* lower frequency limit */, 5.0 /* upper frequency limit */);
EXPECT_FALSE(initialized);
}
} // namespace tensorflow
Related news
### Impact If [`ThreadUnsafeUnigramCandidateSampler`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/mirror_pad_op.cc) is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. ```python import tensorflow as tf tf.raw_ops.Mfcc( spectrogram = [[[1.38, 6.32, 5.75, 9.51]]], sample_rate = 2, upper_frequency_limit = 5.0, lower_frequency_limit = 1.0, filterbank_channel_count = 2**31 - 1, dct_coefficient_count = 1 ) ``` ### Patches We have patched the issue in GitHub commit [39ec7eaf1428e90c37787e5b3fbd68ebd3c48860](https://github.com/tensorflow/tensorflow/commit/39ec7eaf1428e90c37787e5b3fbd68ebd3c48860). The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorf...