From: Ben Pfaff Date: Fri, 27 Jan 2023 02:35:38 +0000 (-0800) Subject: pivot-table: Fix buffer overflow in pivot_table_dump() in corner case. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d4fd34e39a08347a10973a22cd865e948d30c06;p=pspp pivot-table: Fix buffer overflow in pivot_table_dump() in corner case. This occurred when categories were more deeply nested into groups than there were leaf categories. This functionality isn't used in PSPP, only by "pspp-output dump". --- diff --git a/src/output/pivot-table.c b/src/output/pivot-table.c index 1a200f75c0..f4b7fb7110 100644 --- a/src/output/pivot-table.c +++ b/src/output/pivot-table.c @@ -2028,6 +2028,20 @@ pivot_table_sizing_dump (const char *name, } } +static void +dump_leaf (const struct pivot_table *table, const struct pivot_category *c) +{ + if (c) + { + dump_leaf (table, c->parent); + if (pivot_category_is_leaf (c) || c->show_label) + { + putchar (' '); + pivot_value_dump (c->name, table); + } + } +} + void pivot_table_dump (const struct pivot_table *table, int indentation) { @@ -2113,23 +2127,7 @@ pivot_table_dump (const struct pivot_table *table, int indentation) pivot_value_dump (d->root->name, table); fputs (" =", stdout); - struct pivot_value **names = xnmalloc (d->n_leaves, sizeof *names); - size_t n_names = 0; - for (const struct pivot_category *c - = d->presentation_leaves[layer_indexes[i]]; - c; - c = c->parent) - { - if (pivot_category_is_leaf (c) || c->show_label) - names[n_names++] = c->name; - } - - for (size_t i = n_names; i-- > 0;) - { - putchar (' '); - pivot_value_dump (names[i], table); - } - free (names); + dump_leaf (table, d->presentation_leaves[layer_indexes[i]]); } putchar ('\n');