[SciPy-dev] fitpack memory corruption

[Paul Janzen]

The following fragment crashes the Python interpreter on both Windows
and Linux due to memory corruption:

from scipy.interpolate import splrep
splrep(arange(10),arange(10),k=3,task=-1,t=[0,0,0,0,1,1,1,1]) 

Here is a simple patch against 1712 that at least fixes this case:

--- Lib\interpolate\__fitpack.h~	2006-03-17 04:43:36.000000000 -0800
+++ Lib\interpolate\__fitpack.h	2006-03-25 00:16:45.810340800 -0800
@@ -374,11 +374,11 @@
     ap_wrk = (PyArrayObject *)PyArray_FromDims(1,&n,PyArray_DOUBLE);
     ap_iwrk = (PyArrayObject *)PyArray_FromDims(1,&n,PyArray_INT);
     if (ap_wrk == NULL || ap_iwrk == NULL) goto fail;
+    memcpy(ap_wrk->data,wrk,n*sizeof(double));
+    memcpy(ap_iwrk->data,iwrk,n*sizeof(int));
   }
   memcpy(ap_t->data,t,n*sizeof(double));
   memcpy(ap_c->data,c,lc*sizeof(double));
-  memcpy(ap_wrk->data,wrk,n*sizeof(double));
-  memcpy(ap_iwrk->data,iwrk,n*sizeof(int));
   if (wa) free(wa);
   Py_DECREF(ap_x);
   Py_DECREF(ap_y);

Similar scenario at line 215:fitpack_surfit.

I still don't understand why the condition for copying into
ap_{i,}wrk->data (line 373) is iopt==0.  Doesn't the curfit
documentation imply that you want to persist wrk/iwrk iff iopt==1?

Also, it looks like the two assignments at 355 and 370 risk leaking
references?

    ap_t=(PyArrayObject*)PyArray_ContiguousFromObject(t_py,PyArray_DOUBLE, 0, 1);
...
  ap_t = (PyArrayObject *)PyArray_FromDims(1,&n,PyArray_DOUBLE);

As do the second assignments to ap_wrk/ap_iwrk. 

-- Paul