URL:
<https://savannah.gnu.org/bugs/?59624>
Summary: Buffer overflow in
gsl_stats_quantile_from_sorted_data
Project: GNU Scientific Library
Submitted by: psa
Submitted on: Fri 04 Dec 2020 10:06:37 PM UTC
Category: Runtime error
Severity: 3 - Normal
Operating System:
Status: None
Assigned to: None
Open/Closed: Open
Release:
Discussion Lock: Any
_______________________________________________________
Details:
from zhoulai.fu =at= gmail =dot= com
Running the following code (also attached as a file) triggers a segmentation
error.
#include <stdio.h>
#include <gsl/gsl_sort.h>
#include <gsl/gsl_statistics.h>
int main(void)
{
double upperq;
double data[5] = {17.2, 18.1, 16.5, 18.3, 12.6};
gsl_sort (data, 1, 5);
upperq = gsl_stats_quantile_from_sorted_data (data, 1, 5, 675);
return 0;
}
// gcc statsort_bug.c -lgsl -lgslcblas; ./a.out
The error points to statistics/quantiles_source.c:41:
result = (1 - delta) * sorted_data[lhs * stride] + delta *
sorted_data[(lhs + 1) * stride] ;
The segmentation error is due to a stack buffer overflow (where
lhs=2700, strid=1 as shown in GDB). The bug could be exploited for
security attack, knowing that it occurs when the quantile "f" is
beyond the expected [0,1] range (f=675 in this case).
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 04 Dec 2020 10:06:37 PM UTC Name: statsort_bug.c Size: 316B By:
psa
<http://savannah.gnu.org/bugs/download.php?file_id=50406>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?59624>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
