From 2ac0b787399df718dc61219145f44a6ae99813aa Mon Sep 17 00:00:00 2001
From: Adam Shapiro <adamshapiro0@gmail.com>
Date: Tue, 23 Feb 2021 21:32:39 +0000
Subject: Fixed sparse conservativeResize() when both num cols and rows
 decreased.

The previous implementation caused a buffer overflow trying to calculate non-
zero counts for columns that no longer exist.
---
 Eigen/src/SparseCore/SparseMatrix.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'Eigen/src/SparseCore')

diff --git a/Eigen/src/SparseCore/SparseMatrix.h b/Eigen/src/SparseCore/SparseMatrix.h
index 6e6cab3c0..616b4a0c2 100644
--- a/Eigen/src/SparseCore/SparseMatrix.h
+++ b/Eigen/src/SparseCore/SparseMatrix.h
@@ -579,10 +579,12 @@ class SparseMatrix
       else if (innerChange < 0) 
       {
         // Inner size decreased: allocate a new m_innerNonZeros
-        m_innerNonZeros = static_cast<StorageIndex*>(std::malloc((m_outerSize+outerChange+1) * sizeof(StorageIndex)));
+        m_innerNonZeros = static_cast<StorageIndex*>(std::malloc((m_outerSize + outerChange) * sizeof(StorageIndex)));
         if (!m_innerNonZeros) internal::throw_std_bad_alloc();
-        for(Index i = 0; i < m_outerSize; i++)
+        for(Index i = 0; i < m_outerSize + (std::min)(outerChange, Index(0)); i++)
           m_innerNonZeros[i] = m_outerIndex[i+1] - m_outerIndex[i];
+        for(Index i = m_outerSize; i < m_outerSize + outerChange; i++)
+          m_innerNonZeros[i] = 0;
       }
       
       // Change the m_innerNonZeros in case of a decrease of inner size
-- 
cgit v1.2.3