[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #59624] Buffer overflow in gsl_stats_quantile_from_sorted_data
|
From: |
Patrick Alken |
|
Subject: |
[bug #59624] Buffer overflow in gsl_stats_quantile_from_sorted_data |
|
Date: |
Sun, 17 Jan 2021 17:24:30 -0500 (EST) |
|
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0 |
Follow-up Comment #1, bug #59624 (project gsl):
from msunet =at= shellblade =dot= net
This one is a "fix" for bug 59624, simply checking that |f| is in the expected
range.
Though I don't think there is ultimately a way to check in C whether the
given
array has the right size, so a buggy application can still trigger the bug
described in the email thread.
---
statistics/quantiles_source.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/statistics/quantiles_source.c b/statistics/quantiles_source.c
index e2956d9d..bf93a1a3 100644
--- a/statistics/quantiles_source.c
+++ b/statistics/quantiles_source.c
@@ -17,6 +17,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
USA.
*/
+#include <assert.h>
double
FUNCTION(gsl_stats,quantile_from_sorted_data) (const BASE sorted_data[],
@@ -24,6 +25,8 @@ FUNCTION(gsl_stats,quantile_from_sorted_data) (const BASE
sorted_data[],
const size_t n,
const double f)
{
+ assert(0.0 <= f && f <= 1.0);
+
const double index = f * (n - 1) ;
const size_t lhs = (int)index ;
const double delta = index - lhs ;
--
2.27.0
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?59624>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug #59624] Buffer overflow in gsl_stats_quantile_from_sorted_data,
Patrick Alken <=