1## TFSA-2021-073: Division by zero in padding computation in TFLite 2 3### CVE Number 4CVE-2021-29585 5 6### Impact 7The TFLite computation for size of output after padding, 8[`ComputeOutSize`](https://github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.h#L43-L55), 9does not check that the `stride` argument is not 0 before doing the division. 10 11```cc 12inline int ComputeOutSize(TfLitePadding padding, int image_size, 13 int filter_size, int stride, int dilation_rate = 1) { 14 int effective_filter_size = (filter_size - 1) * dilation_rate + 1; 15 switch (padding) { 16 case kTfLitePaddingSame: 17 return (image_size + stride - 1) / stride; 18 case kTfLitePaddingValid: 19 return (image_size + stride - effective_filter_size) / stride; 20 default: 21 return 0; 22 } 23} 24``` 25 26Users can craft special models such that `ComputeOutSize` is called with 27`stride` set to 0. 28 29### Patches 30We have patched the issue in GitHub commit 31[49847ae69a4e1a97ae7f2db5e217c77721e37948](https://github.com/tensorflow/tensorflow/commit/49847ae69a4e1a97ae7f2db5e217c77721e37948). 32 33The fix will be included in TensorFlow 2.5.0. We will also cherrypick this 34commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 352.1.4, as these are also affected and still in supported range. 36 37### For more information 38Please consult [our security 39guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 40more information regarding the security model and how to contact us with issues 41and questions. 42 43### Attribution 44This vulnerability has been reported by members of the Aivul Team from Qihoo 45360. 46