output/csv: fix out-of-bounds array access in process_analog()

Make sure to not exceed the ctx->analog_samples[] array bounds. Don't
use the (huge) channel's index in the device's(!) channel list, instead
use the zero-based and dense index into the array of analog samples in
the accumulation buffer, before writing to the external file.

This fixes the segfault reported in bug #1124.

diff --git a/src/output/csv.c b/src/output/csv.c
index 4c114409d22dd5b87028ffc5379c67bfa5f1f01c..dce630c693157191dec7c775c28eb49e08683db4 100644 (file)
--- a/src/output/csv.c
+++ b/src/output/csv.c
@@ -312,6 +312,7 @@ static void process_analog(struct context *ctx,
        int ret;
        size_t num_rcvd_ch, num_have_ch;
        size_t idx_have, idx_smpl, idx_rcvd;
+       size_t idx_send;
        struct sr_analog_meaning *meaning;
        GSList *l;
        float *fdata = NULL;
@@ -336,6 +337,7 @@ static void process_analog(struct context *ctx,
                sr_warn("Problems converting data to floating point values.");
 
        num_have_ch = ctx->num_analog_channels + ctx->num_logic_channels;
+       idx_send = 0;
        for (idx_have = 0; idx_have < num_have_ch; idx_have++) {
                if (ctx->channels[idx_have].ch->type != SR_CHANNEL_ANALOG)
                        continue;
@@ -351,9 +353,10 @@ static void process_analog(struct context *ctx,
                                        &ctx->channels[idx_have].label);
                        }
                        for (idx_smpl = 0; idx_smpl < analog->num_samples; idx_smpl++)
-                               ctx->analog_samples[idx_smpl * ctx->num_analog_channels + idx_have] = fdata[idx_smpl * num_rcvd_ch + idx_rcvd];
+                               ctx->analog_samples[idx_smpl * ctx->num_analog_channels + idx_send] = fdata[idx_smpl * num_rcvd_ch + idx_rcvd];
                        break;
                }
+               idx_send++;
        }
        g_free(fdata);
 }