rtgplot segfaults due to going outside the bounds of the DOs and LOs array

[cedlecomte]

From [email protected] on May 12, 2014 00:10:14

Under some circumstances rtgplot segfaults - in my case it was when plotting several data series. I could not narrow down the particular set of circumstances that causes it, but I did find what appear to be bugs in the code that, when fixed, stop the segfault.

I expected PNG output, instead the command crashed.

The problem exists in 0.9.0 and also 0.9.1 under Linux (Ubuntu) - I have not checked other versions.

The "problem" appears to be the for loops that iterate over the DOs and LOs elements... for (i=0; i<=count.DOs; i++)

When I printf'd the count.DOs value, it was 5, so i should be limited from 0 to 4 - this for loop strangely allows i to become 5, but suspiciously and immediately checks if it is NULL. I suspect my undefined memory region allowed the code to continue, which leads to a segfault when it tries to process what the garbage points to.

The (naive) fix is to change the i<=count.DOs to i < count.DOs in several places in the code (rtgplot.c), as well as a similar thing with the count.LOs for loops.

If there is good reason for being wacky and going outside of the bounds of the array, please explain the logic :P

Original issue: http://code.google.com/p/rtg2/issues/detail?id=46