From 052f124551d2b78104b0de2008db6b8819713625 Mon Sep 17 00:00:00 2001
From: Alexei Sheplyakov <alexei.sheplyakov@gmail.com>
Date: Sat, 9 Oct 2010 18:39:41 +0200
Subject: [PATCH] mul: algebraic_subs_mul(), has(): don't write beyond the end
 of array

algebraic_match_mul_with_mul() iterates over operands of mul, that is

for (size_t i=0; i<e.nops(); ++i)

However, the size of arrays (`vectors' in STL speak) passed to this
function is seq.size(), which is nops() - 1 for any mul object. Thus
algebraic_match_mul_with_mul() accesses beyond the arrays limit. Usually
it's not a problem, since any reasonable implementation of std::vector<bool>
packs booleans into ints (or longs). However, some STL implementations
(in particular, the one shipped with msvc) are more picky, and access
beyond the vector<bool> limits results in a segfault. Therefore let's
play safe and allocate proper number of elements (that is, nops()) for
those arrays (subsed and currsubsed).
(cherry picked from commit cbb93fadabbd56ba006902967b15b2b2aebb037c)
---
 ginac/mul.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/ginac/mul.cpp b/ginac/mul.cpp
index dfda4100..3733bc4a 100644
--- a/ginac/mul.cpp
+++ b/ginac/mul.cpp
@@ -729,6 +729,9 @@ bool algebraic_match_mul_with_mul(const mul &e, const ex &pat, exmap& repls,
 		int factor, int &nummatches, const std::vector<bool> &subsed,
 		std::vector<bool> &matched)
 {
+	GINAC_ASSERT(subsed.size() == e.nops());
+	GINAC_ASSERT(matched.size() == e.nops());
+
 	if (factor == (int)pat.nops())
 		return true;
 
@@ -760,8 +763,8 @@ bool mul::has(const ex & pattern, unsigned options) const
 	if(is_a<mul>(pattern)) {
 		exmap repls;
 		int nummatches = std::numeric_limits<int>::max();
-		std::vector<bool> subsed(seq.size(), false);
-		std::vector<bool> matched(seq.size(), false);
+		std::vector<bool> subsed(nops(), false);
+		std::vector<bool> matched(nops(), false);
 		if(algebraic_match_mul_with_mul(*this, pattern, repls, 0, nummatches,
 				subsed, matched))
 			return true;
@@ -771,8 +774,7 @@ bool mul::has(const ex & pattern, unsigned options) const
 
 ex mul::algebraic_subs_mul(const exmap & m, unsigned options) const
 {	
-	std::vector<bool> subsed(seq.size(), false);
-	exvector subsresult(seq.size());
+	std::vector<bool> subsed(nops(), false);
 	ex divide_by = 1;
 	ex multiply_by = 1;
 
@@ -781,7 +783,7 @@ ex mul::algebraic_subs_mul(const exmap & m, unsigned options) const
 		if (is_exactly_a<mul>(it->first)) {
 retry1:
 			int nummatches = std::numeric_limits<int>::max();
-			std::vector<bool> currsubsed(seq.size(), false);
+			std::vector<bool> currsubsed(nops(), false);
 			exmap repls;
 			
 			if(!algebraic_match_mul_with_mul(*this, it->first, repls, 0, nummatches, subsed, currsubsed))
-- 
2.44.0