YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
TFLite tensor.buffer OOB β OpenCV DNN Native Crash PoC
Finding: TFLite tensor.buffer out-of-range index causes SIGBUS native crash in OpenCV DNN TFLite importer
Target: TFLite (.tflite) β Google / huntr MFV
Component: cv2.dnn.readNetFromTFLite / modules/dnn/src/tflite/tflite_importer.cpp
CWE: CWE-125 (Out-of-bounds Read)
Impact: Native crash (SIGBUS, exit 138) during model load β denial-of-service in model-loading path
Files
| File | Description |
|---|---|
baseline_valid.tflite |
Valid model: tensor.buffer=1, buffers.size=2 β LOAD_SUCCESS |
mutant_oob_100.tflite |
Malformed: tensor.buffer=100, buffers.size=2 β LOAD_SUCCESS (missing bounds check) |
mutant_oob_7fffffff.tflite |
Malformed: tensor.buffer=0x7fffffff, buffers.size=2 β Bus Error / SIGBUS / exit 138 |
reproduce.py |
Reproduction script (generates files + runs all cases, crash isolated in subprocess) |
expected_output.txt |
Expected output of reproduce.py |
SHA256SUMS.txt |
SHA-256 checksums of all model files |
Requirements
pip install flatbuffers numpy opencv-python-headless
Tested with:
- cv2 4.13.0 (opencv-python-headless 4.13.0.92)
- flatbuffers 25.12.19
- macOS arm64 / Python 3.x
Reproduction
python3 reproduce.py
Expected primary result:
Case 2 β oob_7fffffff (tensor.buffer=0x7fffffff, buffers.size=2)
Result: Bus Error / SIGBUS / exit 138 β CRASH CONFIRMED
VERDICT: T0_CONFIRMED_CRASH_NATIVE (SIGBUS exit:138)
Root Cause
In modules/dnn/src/tflite/tflite_importer.cpp (OpenCV 4.x):
bufferIdx = tensor.buffer();
CV_Assert(bufferIdx != 0);
// Missing: CV_Assert(bufferIdx < model->buffers()->size());
const auto buffer = model->buffers()->Get(bufferIdx);
Vector::Get(0x7fffffff) accesses approximately 8 GB beyond the allocated buffer region β SIGBUS.
Non-Claims
- No RCE / ACE / arbitrary code execution claimed or demonstrated.
- No exploit beyond native crash is claimed.
- No confirmed memory disclosure or data exfiltration.
- Specific to
cv2.dnn.readNetFromTFLite(OpenCV DNN path only). - Not claimed against all TFLite loaders or all OpenCV versions.
- Wrong output for
oob_100is not confirmed and not claimed.
- Downloads last month
- 15
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support