In TensorFlow before version 2.6.0 TFLite's expand_dims.cc contains a vulnerability which allows reading one element outside of bounds of heap allocated data. If axis is a large negative value (e.g., -100000), then after the first if it would still be negative. The check following the if statement will pass and the for loop would read one element before the start of input_dims.data (when i = 0).
In TensorFlow before version 2.6.0 TFLite's expand_dims.cc contains a vulnerability which allows reading one element outside of bounds of heap allocated data. If axis is a large negative value (e.g., -100000), then after the first if it would still be negative. The check following the if statement will pass and the for loop would read one element before the start of input_dims.data (when i = 0).
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c545-c4f9-rf6v https://github.com/tensorflow/tensorflow/commit/d94ffe08a65400f898241c0374e9edc6fa8ed257