1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
Description: Fix out-of-bounds array write in src/filter/src/bessel.c
The bessel_azpkf() function receives a pointer to a poles array with
length of the filter order _n. It then proceeds to call
fpoly_bessel_roots() with the same array pointer, but with _n+1. The
roots function assumes there are _n+1 elements in the array and write
one element past the original array.
.
Use a temporary array for the roots function and copy the data out
afterwards.
Author: Andreas Bombe <aeb@debian.org>
Last-Update: 2023-01-11
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
diff --git a/src/filter/src/bessel.c b/src/filter/src/bessel.c
index 8a63efd1..79c71592 100644
--- a/src/filter/src/bessel.c
+++ b/src/filter/src/bessel.c
@@ -68,9 +68,15 @@ int bessel_azpkf(unsigned int _n,
float complex * _pa,
float complex * _ka)
{
+ // roots are computed with order _n+1 so we must use a longer array to
+ // prevent out-of-bounds write on the provided _pa array
+ float complex _tmp_pa[_n+1];
+
// compute poles (roots to Bessel polynomial)
- if (fpoly_bessel_roots(_n+1,_pa) != LIQUID_OK)
+ if (fpoly_bessel_roots(_n+1,_tmp_pa) != LIQUID_OK)
return liquid_error(LIQUID_EICONFIG,"bessel_azpkf(), invalid configuration");
+ for (int i = 0; i < _n; i++)
+ _pa[i] = _tmp_pa[i];
// analog Bessel filter prototype has no zeros
|
