Dear Reinhard, Please find attached a patch for a heap-buffer-overflow that I have identified in the CRAN spam package. The rationale for the fix is in the patch header. I have applied this patch to the Debian package r-cran-spam. Best regards, -- ⢀⣴⠾⠻⢶⣦⠀ Sébastien Villemot ⣾⠁⢠⠒⠀⣿⡁ Debian Developer ⢿⡄⠘⠷⠚⠋⠀ https://sebastien.villemot.name ⠈⠳⣄⠀⠀⠀⠀ https://www.debian.org
Description: Fix heap-buffer-overflow in dn_eigen_f The “dr” and “di” array arguments of “dn_eigen_f” require double arrays of length “maxnev+1” (see the function prototype in src/dn_eigen.f). . The bug has been fortuitously exposed by the autopkgtest as part of the testing migration of lapack 3.10.0-1, on the i386 architecture. See https://ci.debian.net/data/autopkgtest/testing/i386/r/r-cran-spam/15629153/log.gz . The too small buffer would lead to a heap-buffer-overflow triggered at line 669 of src/dn_ARPACK.f (inside the function call sequence dn_eigen_f→dneupd→dcopy, triggered from line 43 of tests/testthat/test-eigen.R) Author: Sébastien Villemot <sebastien@debian.org> Forwarded: no Last-Update: 2021-10-01 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/R/eigen.R +++ b/R/eigen.R @@ -219,8 +219,8 @@ eigen_approx <- function(x, ja = x@colindices, ia = x@rowpointers, v = vector_dc("double", x@dimension[1]*ncv), - dr = vector_dc("double", nev), - di = vector_dc("double", nev), + dr = vector_dc("double", nev+1), + di = vector_dc("double", nev+1), iparam = integer_dc(8), INTENT = c("r", "r", "r", "r", "r", "r", "r", "r", "r", "rw", "rw", "rw", "rw"),
Attachment:
signature.asc
Description: This is a digitally signed message part