10000 FIX Prevents segfault in SVC when internals are altered (#21336) · scikit-learn/scikit-learn@1bf13d5 · GitHub
[go: up one dir, main page]
Skip to content

Commit 1bf13d5

Browse files
thomasjpfanglemaitrejeremiedbbogrisel
authored
FIX Prevents segfault in SVC when internals are altered (#21336)
Co-authored-by: Guillaume Lemaitre <g.lemaitre58@gmail.com> Co-authored-by: Jérémie du Boisberranger <34657725+jeremiedbb@users.noreply.github.com> Co-authored-by: Olivier Grisel <olivier.grisel@gmail.com>
1 parent f3f04ed commit 1bf13d5

File tree

3 files changed

+29
-0
lines changed

3 files changed

+29
-0
lines changed

doc/whats_new/v1.0.rst

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,15 @@ Fixed models
6767
names out from one step of a pipeline to the next. :pr:`21351` by
6868
`Thomas Fan`_.
6969

70+
:mod:`sklearn.svm`
71+
..................
72+
73+
- |Fix| :class:`svm.SVC` and :class:`svm.SVR` check for an inconsistency
74+
in its internal representation and raise an error instead of segfaulting.
75+
This fix also resolves
76+
`CVE-2020-28975 <https://nvd.nist.gov/vuln/detail/CVE-2020-28975>`__.
77+
:pr:`21336` by `Thomas Fan`_.
78+
7079
.. _changes_1_0:
7180

7281
Version 1.0.0

sklearn/svm/_base.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -616,6 +616,13 @@ def _validate_for_predict(self, X):
616616
"the number of samples at training time"
617617
% (X.shape[1], self.shape_fit_[0])
618618
)
619+
# Fixes https://nvd.nist.gov/vuln/detail/CVE-2020-28975
620+
# Check that _n_support is consistent with support_vectors
621+
sv = self.support_vectors_
622+
if not self._sparse and sv.size > 0 and self.n_support_.sum() != sv.shape[0]:
623+
raise ValueError(
624+
f"The internal representation of {self.__class__.__name__} was altered"
625+
)
619626
return X
620627

621628
@property

sklearn/svm/tests/test_svm.py

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1371,3 +1371,16 @@ def string_kernel(X1, X2):
13711371
else: # regressor
13721372
assert_allclose(svc1.predict(data), svc2.predict(X))
13731373
assert_allclose(svc1.predict(data), svc3.predict(K))
1374+
1375+
1376+
def test_svc_raises_error_internal_representation():
1377+
"""Check that SVC raises error when internal representation is altered.
1378+
1379+
Non-regression test for #18891 and https://nvd.nist.gov/vuln/detail/CVE-2020-28975
1380+
"""
1381+
clf = svm.SVC(kernel="linear").fit(X, Y)
1382+
clf._n_support[0] = 1000000
1383+
1384+
msg = "The internal representation of SVC was altered"
1385+
with pytest.raises(ValueError, match=msg):
1386+
clf.predict(X)

0 commit comments

Comments
 (0)
0