[BUG] Potential vulnerability in SpaceToDepth preparation

[quart27219]

Describe the bug

I found a SpaceToDepth preparation path in tflite-micro that looks similar to the TensorFlow Lite issue fixed for CVE-2021-29587.

It seems to have a vulnerablity in Prepare() of tensorflow/lite/micro/kernels/space_to_depth.cc.

The code still computes input_height / block_size and input_width / block_size directly, without a preceding runtime guard that block_size is non-zero. That preserves the same missing invariant: model-controlled block_size must be validated before division occurs.

ASAN Log

=================================================================
==5895==ERROR: AddressSanitizer: FPE on unknown address 0x55b96916a476 (pc 0x55b96916a476 bp 0x7ffdf8820fc0 sp 0x7ffdf8820f50 T0)
#0 0x55b96916a476 in tflite::(anonymous namespace)::Prepare(TfLiteContext*, TfLiteNode*) (/work/analysis_output/poc_validation/kernel_space_to_depth_test_asan+0x18a476) (BuildId: dbab023cfa97a354bcf742d040a057ddcca6751b)
#1 0x55b969164845 in tflite::micro::KernelRunner::InitAndPrepare(char const*, unsigned long) (/work/analysis_output/poc_validation/kernel_space_to_depth_test_asan+0x184845) (BuildId: dbab023cfa97a354bcf742d040a057ddcca6751b)
#2 0x55b9690f212f in void (anonymous namespace)::TestSpaceToDepth((anonymous namespace)::SpaceToDepthTest const&) (/work/analysis_output/poc_validation/kernel_space_to_depth_test_asan+0x11212f) (BuildId: dbab023cfa97a354bcf742d040a057ddcca6751b)
#3 0x55b9690f3be3 in SpaceToDepthTest_SpaceToDepth_BlockSizeZeroPoC_Test() (/work/analysis_output/poc_validation/kernel_space_to_depth_test_asan+0x113be3) (BuildId: dbab023cfa97a354bcf742d040a057ddcca6751b)
#4 0x55b9690f4292 in micro_test::internal::TestRunner::Run() (/work/analysis_output/poc_validation/kernel_space_to_depth_test_asan+0x114292) (BuildId: dbab023cfa97a354bcf742d040a057ddcca6751b)
#5 0x7124f3c691c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7124f3c6928a in __libc_start_main_impl ../csu/libc-start.c:360
#7 0x55b9690ef864 in _start (/work/analysis_output/poc_validation/kernel_space_to_depth_test_asan+0x10f864) (BuildId: dbab023cfa97a354bcf742d040a057ddcca6751b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/work/analysis_output/poc_validation/kernel_space_to_depth_test_asan+0x18a476) (BuildId: dbab023cfa97a354bcf742d040a057ddcca6751b) in tflite::(anonymous namespace)::Prepare(TfLiteContext*, TfLiteNode*)
==5895==ABORTING

Related information

CVE-2021-29587
original fix

please check the information and fix the vulnerability.