AddressSanitizer: rbind heap overflow

[joshuaulrich]

The following simple example causes AddressSanitizer to report a heap buffer overflow.

R> sessionInfo()
R Under development (unstable) (2015-10-09 r69501)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Ubuntu 15.04

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C              
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8    
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8   
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C                 
 [9] LC_ADDRESS=C               LC_TELEPHONE=C            
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C       

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base 
R> require(xts)
R> x <- .xts(1:17, c(rep(1:8, each=2), 9))
R> y <- .xts(18L, 9)
R> rbind(x,y)
=================================================================
==31338==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000016170
  at pc 0x7fb4b55dc6eb bp 0x7fffd47e48a0 sp 0x7fffd47e4890
READ of size 8 at 0x60f000016170 thread T0
    #0 0x7fb4b55dc6ea in do_rbind_xts xts/src/rbind.c:216
    #1 0x7fb4b55dc9d9 in rbindXts xts/src/rbind.c:530
    #2 0x52c479 in do_External ../../../R-svn/src/main/dotcode.c:548
<snip remaining output>

xts/src/rbind.c:216 is

if( real_xindex[ xp-1 ] < real_xindex[ xp   ] )

and xp is initalized to xp=1 at the beginning of the do_rbind_xts call. This is only potentially a problem if x and y share an index value, and the shared index value happens to be the last value in the x index. In that case, real_xindex[xp-1] returns the last element, and real_xindex[xp] accesses memory outside the bounds of the x index.