AliOS-Things icon indicating copy to clipboard operation
AliOS-Things copied to clipboard
verified publisher icon alibaba

[Bug Report]: 关于frontend_main.c缺乏参数检查导致null pointer dereference漏洞

Open x-codingman opened this issue 11 months ago • 2 comments

Contact Details

No response

What happened?

frontend_main.c参数检查漏洞

基本信息

我联系您是为了报告在最新版本的AliOS-Things 中发现的潜在漏洞。我在此开设此issue以供您审查。如果确认存在漏洞,请告知我是否计划申请 CVE ID。如有需要,我很乐意提供任何额外的细节或澄清。

概要

在代码 AliOS-Things/components/ai_agent/src/engine/tflite-micro/tensorflow/lite/experimental/microfrontend/lib/frontend_main.c 中,对参数数量未作检查并直接使用第二个命令行参数,由于用户可能只提供给一个参数(即argv[0]),而不提供argv[0],因此,可能导致 CWE NULL 指针解引用CWE-476

漏洞代码

int main(int argc, char** argv) {
  struct FrontendConfig frontend_config;
  FrontendFillConfigWithDefaults(&frontend_config);

  char* filename = argv[1];  // argc在没有被检查的情况下将argv[1]的内容赋值给了指针并在fprintf中使用。
  int sample_rate = 16000;

  struct FrontendState frontend_state;
  if (!FrontendPopulateState(&frontend_config, &frontend_state, sample_rate)) {
    fprintf(stderr, "Failed to populate frontend state\n");
    FrontendFreeStateContents(&frontend_state);
    return 1;
  }

  FILE* fp = fopen(filename, "r");
  if (fp == NULL) {
    fprintf(stderr, "Failed to open %s for read\n", filename);
    return 1;
  }
  fseek(fp, 0L, SEEK_END);
  size_t audio_file_size = ftell(fp) / sizeof(int16_t);
  fseek(fp, 0L, SEEK_SET);
  int16_t* audio_data = malloc(audio_file_size * sizeof(int16_t));
  int16_t* original_audio_data = audio_data;
  if (audio_file_size !=
      fread(audio_data, sizeof(int16_t), audio_file_size, fp)) {
    fprintf(stderr, "Failed to read in all audio data\n");
    fclose(fp);
    return 1;
  }

  while (audio_file_size > 0) {
    size_t num_samples_read;
    struct FrontendOutput output = FrontendProcessSamples(
        &frontend_state, audio_data, audio_file_size, &num_samples_read);
    audio_data += num_samples_read;
    audio_file_size -= num_samples_read;

    if (output.values != NULL) {
      int i;
      for (i = 0; i < output.size; ++i) {
        printf("%d ", output.values[i]);
      }
      printf("\n");
    }
  }

  FrontendFreeStateContents(&frontend_state);
  free(original_audio_data);
  fclose(fp);
  return 0;
}

漏洞描述

该函数接收用户输入。然而,它对用户参数数量未作检查,而直接使用可能不存在的用户参数。该漏洞可能导致 CWE NULL 指针解引用CWE-476

Version

master (Default)

What soultions are you seeing the problem on?

No response

Relevant log output

No response

x-codingman avatar Jan 05 '25 11:01 x-codingman

Please feel free to contact me at [email protected] for further information or assistance.

x-codingman avatar Jan 15 '25 00:01 x-codingman

这项目已经结束运营归档了,只是github这边没发公告

kayeeeo avatar Nov 15 '25 13:11 kayeeeo