From: Ben Pfaff <blp@cs.stanford.edu>
Date: Fri, 27 Jan 2023 19:43:00 +0000 (-0800)
Subject: pivot-table: Fix buffer overflow in corner case in pivot_table_dump().
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04f15744f2172fe1809e8b815768299751173e39;p=pspp

pivot-table: Fix buffer overflow in corner case in pivot_table_dump().

Dumping a table with a layer dimension that has no leaves read from an
invalid pointer.  This fixes the problem.  This functionality isn't used
in PSPP, only by "pspp-output dump".
---

diff --git a/src/output/pivot-table.c b/src/output/pivot-table.c
index f4b7fb7110..81a8b31925 100644
--- a/src/output/pivot-table.c
+++ b/src/output/pivot-table.c
@@ -2101,11 +2101,17 @@ pivot_table_dump (const struct pivot_table *table, int indentation)
         {
           const struct pivot_dimension *d = layer_axis->dimensions[i];
           char *name = pivot_value_to_string (d->root->name, table);
-          char *value = pivot_value_to_string (
-            d->data_leaves[table->current_layer[i]]->name, table);
-          printf (" %s=%s", name, value);
-          free (value);
+          printf (" %s", name);
           free (name);
+
+          size_t ofs = table->current_layer[i];
+          if (ofs < d->n_leaves)
+            {
+              char *value = pivot_value_to_string (d->data_leaves[ofs]->name,
+                                                   table);
+              printf ("=%s", value);
+              free (value);
+            }
         }
 
       putchar ('\n');
diff --git a/src/output/pivot-table.h b/src/output/pivot-table.h
index 630547ebaf..d45f3138c3 100644
--- a/src/output/pivot-table.h
+++ b/src/output/pivot-table.h
@@ -481,11 +481,17 @@ struct pivot_table
     bool show_grid_lines;
     bool show_title;
     bool show_caption;
-    size_t *current_layer; /* axes[PIVOT_AXIS_LAYER].n_dimensions elements. */
     enum settings_value_show show_values;
     enum settings_value_show show_variables;
     struct fmt_spec weight_format;
 
+    /* Current layer indexes, with axes[PIVOT_AXIS_LAYER].n_dimensions
+       elements.  current_layer[i] is an offset into
+       axes[PIVOT_AXIS_LAYER].dimensions[i]->data_leaves[], EXCEPT that a
+       dimension can have zero leaves, in which case current_layer[i] is zero
+       and there's no corresponding leaf. */
+    size_t *current_layer;
+
     /* Column and row sizing and page breaks.
        sizing[TABLE_HORZ] is for columns, sizing[TABLE_VERT] is for rows. */
     struct pivot_table_sizing sizing[TABLE_N_AXES];