forked from cran/lpSolve
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Integer Overflow vulnerability in src/mmio.c #9
Comments
gaborcsardi
added a commit
that referenced
this issue
Sep 27, 2022
Following lpSolveAPI. Original error: ``` > ### Name: lp > ### Title: Linear and Integer Programming > ### Aliases: lp > ### Keywords: optimize > > ### ** Examples > > # > # Set up problem: maximize > # x1 + 9 x2 + x3 subject to > # x1 + 2 x2 + 3 x3 <= 9 > # 3 x1 + 2 x2 + 2 x3 <= 15 > # > f.obj <- c(1, 9, 1) > f.con <- matrix (c(1, 2, 3, 3, 2, 2), nrow=2, byrow=TRUE) > f.dir <- c("<=", "<=") > f.rhs <- c(9, 15) > # > # Now run. > # > lp ("max", f.obj, f.con, f.dir, f.rhs) lp_presolve.c:193:34: runtime error: applying non-zero offset 16 to null pointer #0 0x7f9ffc9213db in presolve_rebuildUndo /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_presolve.c:193:34 #1 0x7f9ffc988821 in postsolve /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_presolve.c:5620:5 #2 0x7f9ffc9fcbff in spx_solve /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_simplex.c:2062:9 #3 0x7f9ffc9fe260 in lin_solve /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_simplex.c:2154:12 #4 0x7f9ffca13511 in lpslink /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lpslink56.c:377:25 #5 0x74ef88 in do_dotCode /data/gannet/ripley/R/svn/R-devel/src/main/dotcode.c #6 0x83f0a5 in bcEval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:7126:14 #7 0x829ade in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:748:8 #8 0x891fd3 in R_execClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c #9 0x88dc7f in Rf_applyClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1844:16 #10 0x82a518 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:871:12 #11 0x95ade6 in Rf_ReplIteration /data/gannet/ripley/R/svn/R-devel/src/main/main.c:264:2 #12 0x95e340 in R_ReplConsole /data/gannet/ripley/R/svn/R-devel/src/main/main.c:316:11 #13 0x95e149 in run_Rmainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1194:5 #14 0x95e482 in Rf_mainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1201:5 #15 0x4f30ba in main /data/gannet/ripley/R/svn/R-devel/src/main/Rmain.c:29:5 #16 0x7fa00c1cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) (BuildId: 08df60634339b221bb854d4e10b7278cafde70c4) #17 0x43231d in _start (/data/gannet/ripley/R/R-clang-SAN/bin/exec/R+0x43231d) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lp_presolve.c:193:34 in Success: the objective function is 40.5 ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I got the following bug report against the Debian instance of lpSolve which
you maintain. This clearly comes from an automated scanning system so may
have false positives. A (very quick) look for mmio upstream suggests that it
has not changed. So maybe worth putting a local change in. Let me know if you
have other thoughts / if you become aware of a more general solution.
Best, Dirk
On 3 September 2021 at 21:12, Potential Buffer Overflow vulnerability in xfig-3.2.7b wrote:
| Package: r-cran-lpsolve
| Version: 5.6.15
| Severity: normal
|
| Dear Maintainer,
|
| It seems that there exits a potential Integer Overflow in src/mmio.c.
| in line 53,
| (53) if (mm_read_mtx_crd_size(f, &M, &N, &nz) !=0)
| ...
| (65) I = (int *) malloc(nz * sizeof(int));
| (66) J = (int *) malloc(nz * sizeof(int));
|
| in function mm_read_mtx_crd_size(FILE *f, int *M, int *N, int *nz ),
| in line 207,
| (207) if (sscanf(line, "%d %d %d", M, N, nz) >= 2)
|
| As a result, in line 65, variable nz is read from external source.
| If nz is large enough, multiplication may cause allocation to wrong value.
|
|
| -- System Information:
| Debian Release: 11.0
| APT prefers oldstable-updates
| APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
| Architecture: amd64 (x86_64)
|
| Kernel: Linux 4.4.0-19041-Microsoft
| Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
| Shell: /bin/sh linked to /bin/dash
| Init: unable to detect
The text was updated successfully, but these errors were encountered: