[Rd] supsmu(periodic=TRUE) can crash R by reading before start of array (PR#9502)

Prof Brian Ripley ripley at stats.ox.ac.uk
Fri Feb 9 09:09:37 CET 2007 

Thank you for the comprehensive report and fix.
Now incorporated in R-devel.

Brian

On Thu, 8 Feb 2007, bill at insightful.com wrote:

> supsmu(periodic=TRUE) can crash R by reading before start of array.
>
> To reproduce:
>   set.seed(1)
>   xx <- runif(29000)
>   yy <- rnorm(29000)
>   span <- 0.49
>   i <- 1
>   while(i < 200){
>      cat(i,"\n")
>      int <- supsmu(xx,yy,periodic=T,span=span)
>      i <-i+1
>   }
>
> results in:
>   1
>   2
>   3
>   4
>   5
>   6
>   7
>   8
>   9
>
>   Program received signal SIGSEGV, Segmentation fault.
>   smooth_ (n=0xffffeffe, x=0xb6a7f020, y=0xb6993020, w=0xb6921020,
>       span=0xffffeffe, iper=0xffffeffe, vsmlsq=0xffffeffe, smo=0xb68e8020,
>       acvr=0x9c7e7c8) at ppr.f:1087
>   1087             xti=x(j)
>   Current language:  auto; currently fortran
>   (gdb) list
>   1082          if (ibw.lt.2) ibw=2
>   1083          it=2*ibw+1
>   1084          do 20 i=1,it
>   1085             j=i
>   1086             if (jper.eq.2) j=i-ibw-1
> -> 1087             xti=x(j)
>   1088             if (j.ge.1) go to 10
>   1089             j=n+j
>   1090             xti=x(j)-1d0
>   1091     10      wt=w(j)
>   (gdb) print jper
>   $1 = 2
>   (gdb) print j
>   $2 = -4099
>
> If you use 'R -d valgrind' it stops in the same spot
> on the first call to supsmu:
>   1
>   ==8058== Invalid read of size 8
>   ==8058==    at 0x56A65DA: smooth_ (ppr.f:1087)
>   ==8058==    by 0x56A64D5: supsmu_ (ppr.f:1028)
>   ==8058==    by 0x80B2488: do_dotCode (dotcode.c:1753)
>   ==8058==    by 0x80C9405: Rf_eval (eval.c:441)
>   ...
>   ==8058==  Address 0x5EFDA80 is 0 bytes after a block of size 232,024 alloc'd
>   ==8058==    at 0x401A6EE: malloc (vg_replace_malloc.c:149)
>   ==8058==    by 0x80EFBC9: Rf_allocVector (memory.c:1952)
>   ==8058==    by 0x807B6CB: do_makevector (builtin.c:558)
>   ==8058==    by 0x80F9946: do_internal (names.c:1091)
>   ==8058==    by 0x80C9478: Rf_eval (eval.c:424)
>
> Note that it computes x(j) and then, if j is out of
> bounds, resets j to be at the end of the x array
> and recomputes x(j).  It should not compute x(j) if
> j is out of bounds.
>
> A fix that keeps this looking like Fortran IV is
> to put 'if (j.ge.1)' at the start of line 1087
> (in R_HOME/src/library/stats/src/ppr.f).  This stops
> the crash and makes valgrind happy.
>
> (Splus has the identical problem and fix.)
>
> *** ppr.f~	2007-02-08 11:31:50.000000000 -0800
> --- ppr.f	2007-02-08 11:32:07.000000000 -0800
> ***************
> *** 1084,1090 ****
>        do 20 i=1,it
>           j=i
>           if (jper.eq.2) j=i-ibw-1
> !          xti=x(j)
>           if (j.ge.1) go to 10
>           j=n+j
>           xti=x(j)-1d0
> --- 1084,1090 ----
>        do 20 i=1,it
>           j=i
>           if (jper.eq.2) j=i-ibw-1
> !          if (j.ge.1) xti=x(j)
>           if (j.ge.1) go to 10
>           j=n+j
>           xti=x(j)-1d0
>
> --please do not edit the information below--
>
> Version:
> platform = i686-pc-linux-gnu
> arch = i686
> os = linux-gnu
> system = i686, linux-gnu
> status = Under development (unstable)
> major = 2
> minor = 5.0
> year = 2007
> month = 02
> day = 05
> svn rev = 40659
> language = R
> version.string = R version 2.5.0 Under development (unstable) (2007-02-05 r40659)
>
> Locale:
> LC_CTYPE=en_US.UTF-8;LC_NUMERIC=C;LC_TIME=en_US.UTF-8;LC_COLLATE=en_US.UTF-8;LC_MONETARY=en_US.UTF-8;LC_MESSAGES=en_US.UTF-8;LC_PAPER=en_US.UTF-8;LC_NAME=C;LC_ADDRESS=C;LC_TELEPHONE=C;LC_MEASUREMENT=en_US.UTF-8;LC_IDENTIFICATION=C
>
> Search Path:
> .GlobalEnv, package:stats, package:graphics, package:grDevices, package:utils, package:datasets, package:methods, Autoloads, package:base
>
> ----------------------------------------------------------------------------
> Bill Dunlap
> Insightful Corporation
> bill at insightful dot com
> 360-428-8146
>
> "All statements in this message represent the opinions of the author and do
> not necessarily reflect Insightful Corporation policy or position."
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>

-- 
Brian D. Ripley,                  ripley at stats.ox.ac.uk
Professor of Applied Statistics,  http://www.stats.ox.ac.uk/~ripley/
University of Oxford,             Tel:  +44 1865 272861 (self)
1 South Parks Road,                     +44 1865 272866 (PA)
Oxford OX1 3TG, UK                Fax:  +44 1865 272595

More information about the R-devel mailing list