From 95008dd8d8a668c4e7163486835e32d1755b8269 Mon Sep 17 00:00:00 2001
From: John Darrington <john@darrington.wattle.id.au>
Date: Sat, 20 Jun 2020 07:17:06 +0200
Subject: [PATCH] Fix buffer overflow in linear regression.

When the dependent variable and the indepdendent variable
are one and the same (a rather pointless situation), a buffer overflow
would occur.  This change fixes that.

Reported by: Andrea Fioraldi

Fixes bug: #58599
---
 src/language/stats/regression.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/language/stats/regression.c b/src/language/stats/regression.c
index 28618f12b0..6fa114338e 100644
--- a/src/language/stats/regression.c
+++ b/src/language/stats/regression.c
@@ -706,8 +706,13 @@ run_regression_get_models (const struct regression *cmd,
   size_t n_all_vars = get_n_all_vars (cmd);
   const struct variable **all_vars = xnmalloc (n_all_vars, sizeof (*all_vars));
 
-  double *means = xnmalloc (n_all_vars, sizeof (*means));
-
+  /* In the (rather pointless) case where the dependent variable is
+     the independent variable, n_all_vars == 1.
+     However this would result in a buffer overflow so we must
+     over-allocate the space required in this malloc call.
+     See bug #58599  */
+  double *means = xnmalloc (n_all_vars <= 1 ? 2 : n_all_vars,
+                            sizeof (*means));
   fill_all_vars (all_vars, cmd);
   cov = covariance_1pass_create (n_all_vars, all_vars,
                                  dict_get_weight (dataset_dict (cmd->ds)),
-- 
2.30.2