[External email - use caution]
I emailed Patrick a patch when Silvia reported the bug, but my emails
might be going to spam.
The GSL library seems to use GSL_ERROR_VAL() to report invalid function
arguments, so this is the patch I sent:
diff --git a/siman/siman.c b/siman/siman.c
index 65b9177f..017a5e26 100644
--- a/siman/siman.c
+++ b/siman/siman.c
@@ -202,6 +202,10 @@ gsl_siman_solve_many (const gsl_rng * r, void
*x0_p, gsl_siman_Efunc_t Ef,
printf (" delta_pos energy\n");
}
+ if (params.n_tries <= 0) {
+ GSL_ERROR_VAL ("tries must be > 0", GSL_EINVAL, params.n_tries);
+ }
+
x = (void *) malloc (params.n_tries * element_size);
new_x = (void *) malloc (params.n_tries * element_size);
energies = (double *) malloc (params.n_tries * sizeof (double));
On 10/28/24 16:01, Dirk Eddelbuettel wrote:
On 28 October 2024 at 16:02, Dirk Eddelbuettel wrote:
|
| This is apparently now CVE-2024-50610 [1], I was just pinged (as
the Debian
| maintainer) by the Debian security team.
|
| Does the GSL team have a view on the preferred fix? Bracket the
allocation
| with an if (non_negative) { ... } block as suggested?
Patch proposal:
--- gsl-2.8+dfsg.orig/siman/siman.c
+++ gsl-2.8+dfsg/siman/siman.c
@@ -197,6 +197,9 @@ gsl_siman_solve_many (const gsl_rng * r,
double u; /* throw the die to choose a new
"x" */
int n_iter;
+ /* this function requires that n_tries be positive */
+ assert(params.n_tries > 0);
+
if (print_position) {
printf ("#-iter temperature position");
printf (" delta_pos energy\n");
The test program then aborts:
# gcc gsl_cve_ex.c -o gsl_cve_ex -lgsl
# ./gsl_cve_ex
gsl_cve_ex: siman.c:201: gsl_siman_solve_many: Assertion
`params.n_tries > 0' failed.
Aborted (core dumped)
#
Dirk