[BUG]Buffer overflow in median_search.cpp due to missing input validation in search/median_search.cpp

Question

[BUG]Buffer overflow in median_search.cpp due to missing input validation in search/median_search.cpp

Closed this issue 4 months ago · 7 comments

Description

A buffer overflow vulnerability exists in median_search.cpp when handling empty or invalid input arrays. The error occurs at:

median_search.cpp:79:11: error: buffer overflow, pointer '&m' accesses 0 bytes at offset 0 bytes of local variable 'm' of size 0 bytes
pivot = m[(sz- 1) / 2

The code fails to validate input size n in main(), allowing zero/negative values
When empty arrays are processed, the median vector m becomes empty
Attempting to access m[0] when m.size() == 0 causes buffer overflow

Expected behavior

Input Validation
The program should validate all user inputs (array size n and elements) and:
Reject non-positive array sizes (n ≤ 0) with a clear error message.
Handle empty arrays gracefully (e.g., throw an exception or return an error code).
Graceful Error Handling
For invalid inputs (e.g., n = 0 or negative sizes):
Display a user-friendly error (e.g., "Error: Array size must be a positive integer").

Actual behavior

Crash on Invalid Input

When entering n ≤ 0 (e.g., 0 or -5), the program crashes with a buffer overflow

Steps to reproduce

No response

Context

Blocked Proper Testing
While implementing unit tests for edge cases, the crashes on empty/negative inputs prevented me from completing test coverage. The code "works" for normal inputs but fails catastrophically for invalid ones.

Additional information

No response

18781875724 commented 5 months ago

1

Answer 1 · 2025-04-29T08:38:34.000Z

Can You Please Assign It To Me I can Fix It..

Answer 2 · 2025-04-29T13:52:58.000Z

Is it resolved or can I work on it?

Answer 3 · 2025-04-29T13:56:39.000Z

Is it resolved or can I work on it?

I have Solved it and opened a pull request but not approved yet

Answer 4 · 2025-05-27T03:48:47.000Z

Can I work on this?

Answer 5 · 2025-07-07T00:17:14.000Z

This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Answer 6 · 2025-07-14T00:17:23.000Z

Please ping one of the maintainers once you add more information and updates here. If this is not the case and you need some help, feel free to ask for help in our Gitter channel or our Discord server. Thank you for your contributions!