The issue arises when the tag ID is reused, leading to the reuse of the signatures buffer without reallocation. If the number of switching variables increases during this process, it can cause a heap buffer overflow due to insufficient space in the reused buffer.
TimSiebert1
commented
2 days ago
In the
trace_onfunction, we invokeinitNewTapehttps://github.com/coin-or/ADOL-C/blob/d5e3c2a3573ae6c5c92a882c13bc6f1714cae21f/ADOL-C/src/tape_handling.cpp#L800 which checks if the tag ID has been used previously https://github.com/coin-or/ADOL-C/blob/d5e3c2a3573ae6c5c92a882c13bc6f1714cae21f/ADOL-C/src/tape_handling.cpp#L204If the tag ID is found to be already used and no one is currently using it https://github.com/coin-or/ADOL-C/blob/d5e3c2a3573ae6c5c92a882c13bc6f1714cae21f/ADOL-C/src/tape_handling.cpp#L206 the function calls
initTapeInfos_keephttps://github.com/coin-or/ADOL-C/blob/d5e3c2a3573ae6c5c92a882c13bc6f1714cae21f/ADOL-C/src/tape_handling.cpp#L224 which in turn reassigns thesignaturesbuffer https://github.com/coin-or/ADOL-C/blob/d5e3c2a3573ae6c5c92a882c13bc6f1714cae21f/ADOL-C/src/tape_handling.cpp#L184The
signaturesbuffer is initialized during the first call tozos_pl_forwardhttps://github.com/coin-or/ADOL-C/blob/d5e3c2a3573ae6c5c92a882c13bc6f1714cae21f/ADOL-C/src/uni5_for.c#L1102 with the number of switching variables determining its size.The issue arises when the tag ID is reused, leading to the reuse of the
signaturesbuffer without reallocation. If the number of switching variables increases during this process, it can cause a heap buffer overflow due to insufficient space in the reused buffer.