diff options
| author |  David G. Andersen <dga@google.com> | 2018-02-14 18:56:47 -0800 |
|---|---|---|
| committer |  TensorFlower Gardener <gardener@tensorflow.org> | 2018-02-14 19:00:06 -0800 |
| commit | 49f73c55d56edffebde4bca4a407ad69c1cae433 (patch) | |
| tree | 77d37596355a443db59714b32d32f902b47bbdc0 /tensorflow/core/kernels/decode_bmp_op.cc | |
| parent | 109d7af263e927e6be4d596dfc37676d8dec5463 (diff) | |
Fix integer overflow in BMP decoder by making the checks in DecodeBmp
more stringent. Add fuzzer to improve the robustness of the decoder
in the future.
PiperOrigin-RevId: 185780111
Diffstat (limited to 'tensorflow/core/kernels/decode_bmp_op.cc')
| -rw-r--r-- | tensorflow/core/kernels/decode_bmp_op.cc | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/tensorflow/core/kernels/decode_bmp_op.cc b/tensorflow/core/kernels/decode_bmp_op.cc index b7d120a617..b4dcf0a74b 100644 --- a/tensorflow/core/kernels/decode_bmp_op.cc +++ b/tensorflow/core/kernels/decode_bmp_op.cc @@ -91,15 +91,32 @@ class DecodeBmpOp : public OpKernel { errors::InvalidArgument( "Number of channels must be 1, 3 or 4, was ", channels_)); + OP_REQUIRES(context, width > 0 && header_size >= 0, + errors::InvalidArgument("Width must be positive")); + OP_REQUIRES(context, header_size >= 0, + errors::InvalidArgument("header size must be nonnegative")); + + // The real requirement is < 2^31 minus some headers and channel data, + // so rounding down to something that's still ridiculously big. + OP_REQUIRES( + context, + (static_cast<int64>(width) * std::abs(static_cast<int64>(height))) < + static_cast<int64>(std::numeric_limits<int32_t>::max() / 8), + errors::InvalidArgument( + "Total possible pixel bytes must be less than 2^30")); + + const int32 abs_height = abs(height); + // there may be padding bytes when the width is not a multiple of 4 bytes // 8 * channels == bits per pixel const int row_size = (8 * channels_ * width + 31) / 32 * 4; - const int last_pixel_offset = - header_size + (abs(height) - 1) * row_size + (width - 1) * channels_; + const int64 last_pixel_offset = static_cast<int64>(header_size) + + (abs_height - 1) * row_size + + (width - 1) * channels_; // [expected file size] = [last pixel offset] + [last pixel size=channels] - const int expected_file_size = last_pixel_offset + channels_; + const int64 expected_file_size = last_pixel_offset + channels_; OP_REQUIRES( context, (expected_file_size <= input.size()), @@ -115,12 +132,12 @@ class DecodeBmpOp : public OpKernel { Tensor* output = nullptr; OP_REQUIRES_OK( context, context->allocate_output( - 0, TensorShape({abs(height), width, channels_}), &output)); + 0, TensorShape({abs_height, width, channels_}), &output)); const uint8* bmp_pixels = &img_bytes[header_size]; Decode(bmp_pixels, row_size, output->flat<uint8>().data(), width, - abs(height), channels_, top_down); + abs_height, channels_, top_down); } uint8* Decode(const uint8* input, const int row_size, uint8* const output, |