summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorClément DAVID <clement.david@esi-group.com>2019-07-24 10:13:57 +0200
committerAntoine ELIAS <antoine.elias@esi-group.com>2019-07-24 12:28:23 +0200
commit081354179eecddda5ae70bf9291f4db22cb7deee (patch)
tree7434b7431a5a6d5b854d82bc58d315ea2d3d78f6
parent8fcb322b6d7d675cc2f67eba9e81a178d2534349 (diff)
downloadscilab-081354179eecddda5ae70bf9291f4db22cb7deee.zip
scilab-081354179eecddda5ae70bf9291f4db22cb7deee.tar.gz
ast: fix ArrayOf<T>::insertNew out-of-bounds access
Will fix Coverity ID #1401289 as well as running ast tests using valgrind or ASAN. Change-Id: If8141f3c9776116eb47d36555ecff8902421c631
-rw-r--r--scilab/modules/ast/src/cpp/types/arrayof.cpp33
1 files changed, 19 insertions, 14 deletions
diff --git a/scilab/modules/ast/src/cpp/types/arrayof.cpp b/scilab/modules/ast/src/cpp/types/arrayof.cpp
index 32727e4..8772fbe 100644
--- a/scilab/modules/ast/src/cpp/types/arrayof.cpp
+++ b/scilab/modules/ast/src/cpp/types/arrayof.cpp
@@ -689,7 +689,9 @@ GenericType* ArrayOf<T>::insertNew(typed_list* _pArgs)
689 pArg[i] = createDoubleVector(piMaxDim[i]); 689 pArg[i] = createDoubleVector(piMaxDim[i]);
690 --iNbColon; 690 --iNbColon;
691 } 691 }
692 else if (piCountDim[i] == piSourceDims[iSource] && (piCountDim[i] > 1 || iNbColon < iSourceDims)) 692 else if (iSource < iSourceDims &&
693 piCountDim[i] == piSourceDims[iSource] &&
694 (piCountDim[i] > 1 || iNbColon < iSourceDims))
693 { 695 {
694 ++iSource; 696 ++iSource;
695 } 697 }
@@ -905,7 +907,10 @@ GenericType* ArrayOf<T>::remove(typed_list* _pArgs)
905 pIndexesVect.erase(unique(pIndexesVect.begin(), pIndexesVect.end()), pIndexesVect.end()); 907 pIndexesVect.erase(unique(pIndexesVect.begin(), pIndexesVect.end()), pIndexesVect.end());
906 //remove index > iDimToCheck to allow a[10, 10](1, 1:100) = [] and a[10, 10]([1 5 20], :) = [] 908 //remove index > iDimToCheck to allow a[10, 10](1, 1:100) = [] and a[10, 10]([1 5 20], :) = []
907 auto lastUnique = std::find_if(pIndexesVect.begin(), pIndexesVect.end(), 909 auto lastUnique = std::find_if(pIndexesVect.begin(), pIndexesVect.end(),
908 [&iDimToCheck](int idx) { return idx > iDimToCheck; }); 910 [&iDimToCheck](int idx)
911 {
912 return idx > iDimToCheck;
913 });
909 pIndexesVect.erase(lastUnique, pIndexesVect.end()); 914 pIndexesVect.erase(lastUnique, pIndexesVect.end());
910 915
911 if (pIndexesVect.size() != iDimToCheck) 916 if (pIndexesVect.size() != iDimToCheck)
@@ -988,46 +993,46 @@ GenericType* ArrayOf<T>::remove(typed_list* _pArgs)
988 993
989 // find a way to copy existing data to new variable ... 994 // find a way to copy existing data to new variable ...
990 int* piViewDims = new int[iOrigDims]; 995 int* piViewDims = new int[iOrigDims];
991 int* piOffset = new int[iOrigDims+1]; 996 int* piOffset = new int[iOrigDims + 1];
992 997
993 // offsets 998 // offsets
994 piOffset[0] = 1; 999 piOffset[0] = 1;
995 for (int i = 0; i < iOrigDims; i++) 1000 for (int i = 0; i < iOrigDims; i++)
996 { 1001 {
997 piViewDims[i] = getVarMaxDim(i, iOrigDims); 1002 piViewDims[i] = getVarMaxDim(i, iOrigDims);
998 piOffset[i+1] = piViewDims[i]*piOffset[i]; 1003 piOffset[i + 1] = piViewDims[i] * piOffset[i];
999 } 1004 }
1000 1005
1001 // indexes to remove -> [ 0, toDelIndexVect, piViewDims[iToDelIndex]+1 ] to facilitate loop 1006 // indexes to remove -> [ 0, toDelIndexVect, piViewDims[iToDelIndex]+1 ] to facilitate loop
1002 toDelIndexVect.insert(toDelIndexVect.begin(),0); 1007 toDelIndexVect.insert(toDelIndexVect.begin(), 0);
1003 toDelIndexVect.push_back(piViewDims[iToDelIndex]+1); 1008 toDelIndexVect.push_back(piViewDims[iToDelIndex] + 1);
1004 1009
1005 int iStart; 1010 int iStart;
1006 int iSize; 1011 int iSize;
1007 int iOffset1 = piOffset[iToDelIndex]; 1012 int iOffset1 = piOffset[iToDelIndex];
1008 int iOffset2 = piOffset[iToDelIndex+1]; 1013 int iOffset2 = piOffset[iToDelIndex + 1];
1009 int iNbChunks = getSize()/iOffset2; 1014 int iNbChunks = getSize() / iOffset2;
1010 1015
1011 // fast algorithm (allowing in place removal if necessary) 1016 // fast algorithm (allowing in place removal if necessary)
1012 for (int k = 0, iDest = 0; k < iNbChunks; k++) 1017 for (int k = 0, iDest = 0; k < iNbChunks; k++)
1013 { 1018 {
1014 iStart = k*iOffset2; 1019 iStart = k * iOffset2;
1015 // loop on indexes to remove 1020 // loop on indexes to remove
1016 for (int j = 0; j < toDelIndexVect.size()-1; j++) 1021 for (int j = 0; j < toDelIndexVect.size() - 1; j++)
1017 { 1022 {
1018 iSize = (toDelIndexVect[j+1]-toDelIndexVect[j]-1)*iOffset1; 1023 iSize = (toDelIndexVect[j + 1] - toDelIndexVect[j] - 1) * iOffset1;
1019 if (isNativeType()) 1024 if (isNativeType())
1020 { 1025 {
1021 memcpy(pOut->m_pRealData + iDest, m_pRealData + iStart, iSize*sizeof(T)); 1026 memcpy(pOut->m_pRealData + iDest, m_pRealData + iStart, iSize * sizeof(T));
1022 if (m_pImgData != NULL) 1027 if (m_pImgData != NULL)
1023 { 1028 {
1024 memcpy(pOut->m_pImgData + iDest, m_pImgData + iStart, iSize*sizeof(T)); 1029 memcpy(pOut->m_pImgData + iDest, m_pImgData + iStart, iSize * sizeof(T));
1025 } 1030 }
1026 iDest += iSize; 1031 iDest += iSize;
1027 } 1032 }
1028 else 1033 else
1029 { 1034 {
1030 for (int i = iStart; i < iStart+iSize; i++, iDest++) 1035 for (int i = iStart; i < iStart + iSize; i++, iDest++)
1031 { 1036 {
1032 pOut->set(iDest, get(i)); 1037 pOut->set(iDest, get(i));
1033 if (m_pImgData != NULL) 1038 if (m_pImgData != NULL)