Dear Reinhard, Please find attached a patch for a heap-buffer-overflow that I have identified in the CRAN spam package. The rationale for the fix is in the patch header. I have applied this patch to the Debian package r-cran-spam. Best regards, -- ⢀⣴⠾⠻⢶⣦⠀ Sébastien Villemot ⣾⠁⢠⠒⠀⣿⡁ Debian Developer ⢿⡄⠘⠷⠚⠋⠀ https://sebastien.villemot.name ⠈⠳⣄⠀⠀⠀⠀ https://www.debian.org
Description: Fix heap-buffer-overflow in dn_eigen_f
The “dr” and “di” array arguments of “dn_eigen_f” require double arrays of
length “maxnev+1” (see the function prototype in src/dn_eigen.f).
.
The bug has been fortuitously exposed by the autopkgtest as part of the
testing migration of lapack 3.10.0-1, on the i386 architecture.
See https://ci.debian.net/data/autopkgtest/testing/i386/r/r-cran-spam/15629153/log.gz
.
The too small buffer would lead to a heap-buffer-overflow triggered at line 669
of src/dn_ARPACK.f (inside the function call sequence dn_eigen_f→dneupd→dcopy,
triggered from line 43 of tests/testthat/test-eigen.R)
Author: Sébastien Villemot <sebastien@debian.org>
Forwarded: no
Last-Update: 2021-10-01
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/R/eigen.R
+++ b/R/eigen.R
@@ -219,8 +219,8 @@ eigen_approx <- function(x,
ja = x@colindices,
ia = x@rowpointers,
v = vector_dc("double", x@dimension[1]*ncv),
- dr = vector_dc("double", nev),
- di = vector_dc("double", nev),
+ dr = vector_dc("double", nev+1),
+ di = vector_dc("double", nev+1),
iparam = integer_dc(8),
INTENT = c("r", "r", "r", "r", "r", "r", "r", "r", "r",
"rw", "rw", "rw", "rw"),
Attachment:
signature.asc
Description: This is a digitally signed message part