From 9c994b27b4d71750909e57ffd97b6a2006465e47 Mon Sep 17 00:00:00 2001 From: Stephan Hageboeck Date: Wed, 8 Jul 2026 17:47:12 +0200 Subject: [PATCH] [io] Fix an asan buffer overflow detection in TBufferFile. As a followup to fe1be25, increase the auto-allocated array buffer by one element. In fe1be25 (PR #22165), the external allocation in TBasket (size == fNevBufSize) was replaced with an automatic allocation in TBufferFile::ReadArray(Int_t), whose size was the number of elements read from the file. However, when the integer array is used as an offset array, it is assumed to contain one more element. The auto-allocated buffer needs to be large enough to cover this case. --- io/io/src/TBufferFile.cxx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/io/io/src/TBufferFile.cxx b/io/io/src/TBufferFile.cxx index a20a67ec60861..b123708aa084d 100644 --- a/io/io/src/TBufferFile.cxx +++ b/io/io/src/TBufferFile.cxx @@ -824,7 +824,10 @@ Int_t TBufferFile::ReadArray(Int_t *&ii) if (ShouldNotReadCollection(l, n)) return 0; - if (!ii) ii = new Int_t[n]; + // Allocate a buffer for this array if the caller hasn't done so. + // Note: Offset arrays require one more element than n claims, so we need to overallocate. + if (!ii) + ii = new Int_t[n + 1]; #ifdef R__BYTESWAP # ifdef USE_BSWAPCPY