fix several security bugs reported by security team (#18831)

* fix security issue, test=develop * bug fix, test=develop * throw an exception when null pointer data with non-zero length PaddleBuf is passed, test=develop

fix several security bugs reported by security team (#18831)
* fix security issue, test=develop * bug fix, test=develop * throw an exception when null pointer data with non-zero length PaddleBuf is passed, test=develop
0d996908 · liuwei1031 · GitHub · 61238d31 · 0d996908 · 0d996908
3 changed file
--- a/paddle/fluid/inference/api/api.cc
+++ b/paddle/fluid/inference/api/api.cc
@@ -54,8 +54,15 @@ PaddleBuf &PaddleBuf::operator=(const PaddleBuf &other) {
    memory_owned_ = other.memory_owned_;
  } else {
    Resize(other.length());
-    PADDLE_ENFORCE(!(other.length() > 0 && other.data() == nullptr));
-    memcpy(data_, other.data(), other.length());
+    // if other.length() == 0 or other.data() == nullptr, then the memcpy
+    // behavior is undefined
+    if (other.length() && other.data())
+      memcpy(data_, other.data(), other.length());
+    else if (other.length())
+      PADDLE_THROW(
+          "Invalid argument, null pointer data with length %u is passed",
+          other.length());
+
    length_ = other.length();
    memory_owned_ = true;
  }

--- a/paddle/fluid/operators/detection/gpc.cc
+++ b/paddle/fluid/operators/detection/gpc.cc
@@ -532,6 +532,7 @@ static int count_contours(polygon_node *polygon) {
 }

 static void add_left(polygon_node *p, double x, double y) {
+  PADDLE_ENFORCE_NOT_NULL(p);
  vertex_node *nv = NULL;

  /* Create a new vertex node and set its fields */
@@ -587,6 +588,7 @@ static void add_right(polygon_node *p, double x, double y) {
 }

 static void merge_right(polygon_node *p, polygon_node *q, polygon_node *list) {
+  PADDLE_ENFORCE_NOT_NULL(p);
  polygon_node *target = NULL;

  /* Label contour as external */
@@ -662,6 +664,7 @@ void add_vertex(vertex_node **t, double x, double y) {
 }

 void gpc_vertex_create(edge_node *e, int p, int s, double x, double y) {
+  PADDLE_ENFORCE_NOT_NULL(e);
  add_vertex(&(e->outp[p]->v[s]), x, y);
  e->outp[p]->active++;
 }
@@ -1014,6 +1017,7 @@ void gpc_polygon_clip(gpc_op op, gpc_polygon *subj, gpc_polygon *clip,
    e0 = aet;
    e1 = aet;
    /* Set up bundle fields of first edge */
+    PADDLE_ENFORCE_NOT_NULL(aet);
    aet->bundle[ABOVE][aet->type] = (aet->top.y != yb);
    aet->bundle[ABOVE][!aet->type] = 0;
    aet->bstate[ABOVE] = UNBUNDLED;
@@ -1646,6 +1650,7 @@ void gpc_tristrip_clip(gpc_op op, gpc_polygon *subj, gpc_polygon *clip,
    e1 = aet;

    /* Set up bundle fields of first edge */
+    PADDLE_ENFORCE_NOT_NULL(aet);
    aet->bundle[ABOVE][aet->type] = (aet->top.y != yb);
    aet->bundle[ABOVE][!aet->type] = 0;
    aet->bstate[ABOVE] = UNBUNDLED;
@@ -1782,7 +1787,7 @@ void gpc_tristrip_clip(gpc_op op, gpc_polygon *subj, gpc_polygon *clip,
                }
                new_tristrip(&tlist, cf, cf->xb, yb);
              }
-              edge->outp[ABOVE] = cf->outp[ABOVE];
+              if (cf) edge->outp[ABOVE] = cf->outp[ABOVE];
              gpc_vertex_create(edge, ABOVE, RIGHT, xb, yb);
              break;
            case ILI:

--- a/paddle/fluid/string/piece.cc
+++ b/paddle/fluid/string/piece.cc
@@ -20,6 +20,13 @@
 #include <iosfwd>
 #include <stdexcept>

+#define CHAR_POINTER_CMP(a, b) \
+  do {                         \
+    if (!a && !b) return 0;    \
+    if (!a) return -1;         \
+    if (!b) return 1;          \
+  } while (0)
+
 namespace paddle {
 namespace string {

@@ -40,6 +47,7 @@ char Piece::operator[](size_t n) const {
 }

 int Compare(Piece a, Piece b) {
+  CHAR_POINTER_CMP(a.data(), b.data());
  const size_t min_len = (a.len() < b.len()) ? a.len() : b.len();
  int r = memcmp(a.data(), b.data(), min_len);
  if (r == 0) {
@@ -52,8 +60,10 @@ int Compare(Piece a, Piece b) {
 }

 bool operator==(Piece x, Piece y) {
-  return ((x.len() == y.len()) &&
-          (x.data() == y.data() || memcmp(x.data(), y.data(), x.len()) == 0));
+  return (!x.len() && !y.len()) ? true
+                                : ((x.len() == y.len()) &&
+                                   (x.data() == y.data() ||
+                                    memcmp(x.data(), y.data(), x.len()) == 0));
 }

 bool operator!=(Piece x, Piece y) { return !(x == y); }
@@ -65,12 +75,14 @@ bool operator<=(Piece x, Piece y) { return Compare(x, y) <= 0; }
 bool operator>=(Piece x, Piece y) { return Compare(x, y) >= 0; }

 bool HasPrefix(Piece s, Piece x) {
-  return ((s.len() >= x.len()) && (memcmp(s.data(), x.data(), x.len()) == 0));
+  return !x.len() ? true : ((s.len() >= x.len()) &&
+                            (memcmp(s.data(), x.data(), x.len()) == 0));
 }

 bool HasSuffix(Piece s, Piece x) {
-  return ((s.len() >= x.len()) &&
-          (memcmp(s.data() + (s.len() - x.len()), x.data(), x.len()) == 0));
+  return !x.len() ? true : ((s.len() >= x.len()) &&
+                            (memcmp(s.data() + (s.len() - x.len()), x.data(),
+                                    x.len()) == 0));
 }

 Piece SkipPrefix(Piece s, size_t n) {