Check for tensors to be vectors in `BoostedTreesSparseAggregateStatsOp`. Calling `tensor->vec` should only happen after checking that the tensor shape implies a vector. Otherwise, we can get denial of service via `CHECK`-fails PiperOrigin-RevId: 410960878 Change-Id: I7b26bec796cbaebde4696862eb855160402b4b0d

commit: 8d733ecdb270dd90b2b5f53fd220d5ce17a5e20f [log] [tgz]
author: Mihai Maruseac <mihaimaruseac@google.com> Thu Nov 18 20:16:54 2021 -0800
committer: TensorFlower Gardener <gardener@tensorflow.org> Thu Nov 18 20:21:35 2021 -0800
tree: e09a4d894fda5a8f03f0e3efc39a29226cbfc8cc
parent: 831c4e95cbcde1aa3ae751c55e9fbda31609bb7a [diff]
diff --git a/tensorflow/core/kernels/boosted_trees/stats_ops.cc b/tensorflow/core/kernels/boosted_trees/stats_ops.cc
index eb1eab4..c6fae8d 100644
--- a/tensorflow/core/kernels/boosted_trees/stats_ops.cc
+++ b/tensorflow/core/kernels/boosted_trees/stats_ops.cc

@@ -1611,6 +1611,10 @@
     // node_ids.
     const Tensor* node_ids_t;
     OP_REQUIRES_OK(context, context->input("node_ids", &node_ids_t));
+    OP_REQUIRES(
+        context, TensorShapeUtils::IsVector(node_ids_t->shape()),
+        errors::InvalidArgument("node_ids must be a vector, received shape ",
+                                node_ids_t->shape().DebugString()));
     const auto node_ids = node_ids_t->vec<int32>();
 
     // gradients.
commit	8d733ecdb270dd90b2b5f53fd220d5ce17a5e20f	[log] [tgz]
author	Mihai Maruseac <mihaimaruseac@google.com>	Thu Nov 18 20:16:54 2021 -0800
committer	TensorFlower Gardener <gardener@tensorflow.org>	Thu Nov 18 20:21:35 2021 -0800
tree	e09a4d894fda5a8f03f0e3efc39a29226cbfc8cc
parent	831c4e95cbcde1aa3ae751c55e9fbda31609bb7a [diff]