You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

TFLite tensor.buffer OOB β€” OpenCV DNN Native Crash PoC

Finding: TFLite tensor.buffer out-of-range index causes SIGBUS native crash in OpenCV DNN TFLite importer
Target: TFLite (.tflite) – Google / huntr MFV
Component: cv2.dnn.readNetFromTFLite / modules/dnn/src/tflite/tflite_importer.cpp
CWE: CWE-125 (Out-of-bounds Read)
Impact: Native crash (SIGBUS, exit 138) during model load β€” denial-of-service in model-loading path


Files

File Description
baseline_valid.tflite Valid model: tensor.buffer=1, buffers.size=2 β†’ LOAD_SUCCESS
mutant_oob_100.tflite Malformed: tensor.buffer=100, buffers.size=2 β†’ LOAD_SUCCESS (missing bounds check)
mutant_oob_7fffffff.tflite Malformed: tensor.buffer=0x7fffffff, buffers.size=2 β†’ Bus Error / SIGBUS / exit 138
reproduce.py Reproduction script (generates files + runs all cases, crash isolated in subprocess)
expected_output.txt Expected output of reproduce.py
SHA256SUMS.txt SHA-256 checksums of all model files

Requirements

pip install flatbuffers numpy opencv-python-headless

Tested with:

  • cv2 4.13.0 (opencv-python-headless 4.13.0.92)
  • flatbuffers 25.12.19
  • macOS arm64 / Python 3.x

Reproduction

python3 reproduce.py

Expected primary result:

Case 2 β€” oob_7fffffff (tensor.buffer=0x7fffffff, buffers.size=2)
  Result: Bus Error / SIGBUS / exit 138 ← CRASH CONFIRMED

VERDICT: T0_CONFIRMED_CRASH_NATIVE (SIGBUS exit:138)

Root Cause

In modules/dnn/src/tflite/tflite_importer.cpp (OpenCV 4.x):

bufferIdx = tensor.buffer();
CV_Assert(bufferIdx != 0);
// Missing: CV_Assert(bufferIdx < model->buffers()->size());
const auto buffer = model->buffers()->Get(bufferIdx);

Vector::Get(0x7fffffff) accesses approximately 8 GB beyond the allocated buffer region β†’ SIGBUS.


Non-Claims

  • No RCE / ACE / arbitrary code execution claimed or demonstrated.
  • No exploit beyond native crash is claimed.
  • No confirmed memory disclosure or data exfiltration.
  • Specific to cv2.dnn.readNetFromTFLite (OpenCV DNN path only).
  • Not claimed against all TFLite loaders or all OpenCV versions.
  • Wrong output for oob_100 is not confirmed and not claimed.
Downloads last month
15
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support