Fix buffer overflow in linear regression.

When the dependent variable and the indepdendent variable
are one and the same (a rather pointless situation), a buffer overflow
would occur.  This change fixes that.

Reported by: Andrea Fioraldi

Fixes bug: #58599

diff --git a/src/language/stats/regression.c b/src/language/stats/regression.c
index 28618f12b0a89a2a04a04b10d2f8bd6425d20cc2..6fa114338eb344daca89cd15bf0a1041491548ef 100644 (file)
--- a/src/language/stats/regression.c
+++ b/src/language/stats/regression.c
@@ -706,8 +706,13 @@ run_regression_get_models (const struct regression *cmd,
   size_t n_all_vars = get_n_all_vars (cmd);
   const struct variable **all_vars = xnmalloc (n_all_vars, sizeof (*all_vars));
 
-  double *means = xnmalloc (n_all_vars, sizeof (*means));
-
+  /* In the (rather pointless) case where the dependent variable is
+     the independent variable, n_all_vars == 1.
+     However this would result in a buffer overflow so we must
+     over-allocate the space required in this malloc call.
+     See bug #58599  */
+  double *means = xnmalloc (n_all_vars <= 1 ? 2 : n_all_vars,
+                            sizeof (*means));
   fill_all_vars (all_vars, cmd);
   cov = covariance_1pass_create (n_all_vars, all_vars,
                                  dict_get_weight (dataset_dict (cmd->ds)),