Merge pull request #57433 from...

Merge pull request #57433 from tensorflow/cherrypick-bf4c1435-on-r2.9 Fix security vulnerability with DenseBincountOp

Merge pull request #57433 from...
Merge pull request #57433 from tensorflow/cherrypick-bf4c1435-on-r2.9 Fix security vulnerability with DenseBincountOp
722e66fe · Mihai Maruseac · GitHub · 563e4ed4 · 8eb8b5b3 · 722e66fe
Showing with 34 addition and 0 deletion

tensorflow/core/kernels/bincount_op.cc tensorflow/core/kernels/bincount_op.cc +8 -0

tensorflow/python/kernel_tests/math_ops/bincount_op_test.py tensorflow/python/kernel_tests/math_ops/bincount_op_test.py +26 -0

未找到文件。
--- a/tensorflow/core/kernels/bincount_op.cc
+++ b/tensorflow/core/kernels/bincount_op.cc
@@ -280,6 +280,14 @@ class DenseBincountOp : public OpKernel {
    OP_REQUIRES(ctx, size_t.dims() == 0,
                errors::InvalidArgument("Shape must be rank 0 but is rank ",
                                        size_t.dims()));
+    OP_REQUIRES(ctx,
+                weights.shape() == data.shape() || weights.NumElements() == 0,
+                errors::InvalidArgument(
+                    "`weights` must be the same shape as `arr` or a length-0 "
+                    "`Tensor`, in which case it acts as all weights equal to "
+                    "1. Received ",
+                    weights.shape().DebugString()));
+
    Tidx size = size_t.scalar<Tidx>()();
    OP_REQUIRES(
        ctx, size >= 0,

--- a/tensorflow/python/kernel_tests/math_ops/bincount_op_test.py
+++ b/tensorflow/python/kernel_tests/math_ops/bincount_op_test.py
@@ -24,6 +24,7 @@ from tensorflow.python.framework import test_util
 from tensorflow.python.ops import array_ops
 from tensorflow.python.ops import bincount_ops
 from tensorflow.python.ops import gen_math_ops
+from tensorflow.python.ops import random_ops
 from tensorflow.python.ops import sparse_ops
 from tensorflow.python.ops.ragged import ragged_factory_ops
 from tensorflow.python.ops.ragged import ragged_tensor
@@ -150,6 +151,31 @@ class BincountTest(test_util.TensorFlowTestCase):
      v2 = gen_math_ops.bincount([1, 2, 3, 1, 6, 8], s, [])
      self.assertAllEqual(v2.get_shape().as_list(), [None])

+  @test_util.run_in_graph_and_eager_modes
+  def test_invalid_inputs(self):
+    binary_output = True
+    inp = random_ops.random_uniform(
+        shape=[10, 10],
+        minval=-10000,
+        maxval=10000,
+        dtype=dtypes.int32,
+        seed=-2460)
+    size = random_ops.random_uniform(
+        shape=[], minval=-10000, maxval=10000, dtype=dtypes.int32, seed=-10000)
+    weights = random_ops.random_uniform(
+        shape=[],
+        minval=-10000,
+        maxval=10000,
+        dtype=dtypes.float32,
+        seed=-10000)
+    with self.assertRaises(errors.InvalidArgumentError):
+      self.evaluate(
+          gen_math_ops.dense_bincount(
+              input=inp,
+              size=size,
+              weights=weights,
+              binary_output=binary_output))
+

 class BincountOpTest(test_util.TensorFlowTestCase, parameterized.TestCase):