[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #59624] Buffer overflow in gsl_stats_quantile_from_sorted_data
From: |
Patrick Alken |
Subject: |
[bug #59624] Buffer overflow in gsl_stats_quantile_from_sorted_data |
Date: |
Fri, 4 Dec 2020 17:06:38 -0500 (EST) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 |
URL:
<https://savannah.gnu.org/bugs/?59624>
Summary: Buffer overflow in
gsl_stats_quantile_from_sorted_data
Project: GNU Scientific Library
Submitted by: psa
Submitted on: Fri 04 Dec 2020 10:06:37 PM UTC
Category: Runtime error
Severity: 3 - Normal
Operating System:
Status: None
Assigned to: None
Open/Closed: Open
Release:
Discussion Lock: Any
_______________________________________________________
Details:
from zhoulai.fu =at= gmail =dot= com
Running the following code (also attached as a file) triggers a segmentation
error.
#include <stdio.h>
#include <gsl/gsl_sort.h>
#include <gsl/gsl_statistics.h>
int main(void)
{
double upperq;
double data[5] = {17.2, 18.1, 16.5, 18.3, 12.6};
gsl_sort (data, 1, 5);
upperq = gsl_stats_quantile_from_sorted_data (data, 1, 5, 675);
return 0;
}
// gcc statsort_bug.c -lgsl -lgslcblas; ./a.out
The error points to statistics/quantiles_source.c:41:
result = (1 - delta) * sorted_data[lhs * stride] + delta *
sorted_data[(lhs + 1) * stride] ;
The segmentation error is due to a stack buffer overflow (where
lhs=2700, strid=1 as shown in GDB). The bug could be exploited for
security attack, knowing that it occurs when the quantile "f" is
beyond the expected [0,1] range (f=675 in this case).
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 04 Dec 2020 10:06:37 PM UTC Name: statsort_bug.c Size: 316B By:
psa
<http://savannah.gnu.org/bugs/download.php?file_id=50406>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?59624>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug #59624] Buffer overflow in gsl_stats_quantile_from_sorted_data,
Patrick Alken <=