From 501700b50c330fb124cbe46e5c002aa2d2706333 Mon Sep 17 00:00:00 2001
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Mon, 5 Dec 2022 10:23:33 +0100
Subject: [PATCH] Fix: buffer overrun in buffer_aggregate_xml() (#1880)

When compiling with gcc on 32 bit armhf:

    sizeof(double) == 8, sizeof(double *) == 4

If needing a buffer for double, allocating space for a pointer
is insufficient and leads to a buffer overrun when assigning a value.

We shouldn't confound long int and long int* either.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---
 src/gmp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/gmp.c b/src/gmp.c
index e61be6eb5..5af16cb1c 100644
--- a/src/gmp.c
+++ b/src/gmp.c
@@ -10113,7 +10113,7 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
                 = g_tree_lookup (subgroup_c_counts, subgroup_value);
               if (subgroup_c_count == NULL)
                 {
-                  subgroup_c_count = g_malloc0 (sizeof (long int*));
+                  subgroup_c_count = g_malloc0 (sizeof (long int));
                   g_tree_insert (subgroup_c_counts,
                                  g_strdup (subgroup_value),
                                  subgroup_c_count);
@@ -10297,7 +10297,7 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
 
               if (subgroup_c_sum == NULL)
                 {
-                  subgroup_c_sum = g_malloc (sizeof (double *));
+                  subgroup_c_sum = g_malloc (sizeof (double));
                   *subgroup_c_sum = 0;
 
                   g_tree_insert (c_sum_tree,