Bug 14571 - recursive c() can exceed vector length limit and crash
recursive c() can exceed vector length limit and crash
Status: RESOLVED FIXED
Product: R
Classification: Unclassified
Component: Low-level
R 2.13.0 patched
All All
: P5 normal
Assigned To: R-core
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-03 20:49 UTC by Simon Urbanek
Modified: 2011-05-03 20:54 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Urbanek 2011-05-03 20:49:06 UTC
Reproduce:

x=1:1000000
a=lapply(1:5000, function(...) x)
c(a, recursive=TRUE)

Analysis:
AnswerType() in main/bind.c doesn't check data->ans_length overflow and thus if the resulting overflows and size seems valid, do_c_dflt() will happily try to write elements beyond the size of the resulting vector.

(originally reported as "R 2.13 segfault with range()" by Terry Therneau on R-devel)
Comment 1 Simon Urbanek 2011-05-03 20:54:20 UTC
Fixed.