[bug #59624] Buffer overflow in gsl_stats_quantile_from_sorted_data

[Patrick Alken]

URL:
  <https://savannah.gnu.org/bugs/?59624>

                 Summary: Buffer overflow in
gsl_stats_quantile_from_sorted_data
                 Project: GNU Scientific Library
            Submitted by: psa
            Submitted on: Fri 04 Dec 2020 10:06:37 PM UTC
                Category: Runtime error
                Severity: 3 - Normal
        Operating System: 
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: 
         Discussion Lock: Any

    _______________________________________________________

Details:

from zhoulai.fu =at= gmail =dot= com

Running the following code (also attached as a file) triggers a segmentation
error.

#include <stdio.h>
#include <gsl/gsl_sort.h>
#include <gsl/gsl_statistics.h>

int main(void)
{
  double upperq;
  double data[5] = {17.2, 18.1, 16.5, 18.3, 12.6};
  gsl_sort (data, 1, 5);
  upperq = gsl_stats_quantile_from_sorted_data (data, 1, 5, 675);
  return 0;
}
// gcc statsort_bug.c -lgsl -lgslcblas; ./a.out

The error points to statistics/quantiles_source.c:41:

      result = (1 - delta) * sorted_data[lhs * stride] + delta *
sorted_data[(lhs + 1) * stride] ;

The segmentation error is due to a stack buffer overflow (where
lhs=2700, strid=1 as shown in GDB). The bug could be exploited for
security attack, knowing that it occurs when the quantile "f" is
beyond the expected [0,1] range (f=675 in this case).



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 04 Dec 2020 10:06:37 PM UTC  Name: statsort_bug.c  Size: 316B   By:
psa

<http://savannah.gnu.org/bugs/download.php?file_id=50406>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?59624>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/