[hist] prevent TFormula out of bounds access

ferdymercury · vepadulano · commit f00b04e43c6d · 2026-02-25T11:46:29.000+01:00
Fixes #21104 [hist] fix access when opening bracket pos exactly at length [hist] additional out of bounds access safety guards
diff --git a/hist/hist/src/TFormula.cxx b/hist/hist/src/TFormula.cxx
@@ -1250,7 +1250,7 @@ void TFormula::HandleParametrizedFunctions(TString &formula)
          // check if function has specified the [...] e.g. gaus[x,y]
          Int_t openingBracketPos = funPos + funName.Length() + (isNormalized ? 1 : 0);
          Int_t closingBracketPos = kNPOS;
-         if (openingBracketPos > formula.Length() || formula[openingBracketPos] != '[') {
+         if (openingBracketPos >= formula.Length() || formula[openingBracketPos] != '[') {
             dim = funDim;
             variables.resize(dim);
             for (Int_t idim = 0; idim < dim; ++idim)
@@ -1428,29 +1428,29 @@ void TFormula::HandleFunctionArguments(TString &formula)
 
       // ignore things that start with square brackets
       if (formula[i] == '[') {
-         while (formula[i] != ']')
+         while (i < formula.Length() && formula[i] != ']')
             i++;
          continue;
       }
       // ignore strings
-      if (formula[i] == '\"') {
+      if (i < formula.Length() && formula[i] == '\"') {
          do
             i++;
-         while (formula[i] != '\"');
+         while (i < formula.Length() && formula[i] != '\"');
          continue;
       }
       // ignore numbers (scientific notation)
       if (IsScientificNotation(formula, i))
          continue;
       // ignore x in hexadecimal number
       if (IsHexadecimal(formula, i)) {
-         while (!IsOperator(formula[i]) && i < formula.Length())
+         while (i < formula.Length() && !IsOperator(formula[i]))
             i++;
          continue;
       }
 
       // investigate possible start of function name
-      if (isalpha(formula[i]) && !IsOperator(formula[i])) {
+      if (i < formula.Length() && isalpha(formula[i]) && !IsOperator(formula[i])) {
          // std::cout << "character : " << i << " " << formula[i] << " is not an operator and is alpha" << std::endl;
 
          int j; // index to end of name
@@ -1956,7 +1956,7 @@ void TFormula::ExtractFunctors(TString &formula)
          // look for next instance of "\"
          do {
             i++;
-         } while (formula[i] != '\"');
+         } while (i < formula.Length() && formula[i] != '\"');
       }
       // case of e or E for numbers in exponential notation (e.g. 2.2e-3)
       if (IsScientificNotation(formula, i))
@@ -1965,7 +1965,7 @@ void TFormula::ExtractFunctors(TString &formula)
       if (IsHexadecimal(formula, i)) {
          // find position of operator
          // do not check cases if character is not only a to f, but accept anything
-         while (!IsOperator(formula[i]) && i < formula.Length()) {
+         while (i < formula.Length() && !IsOperator(formula[i])) {
             i++;
          }
          continue;
@@ -1997,7 +1997,7 @@ void TFormula::ExtractFunctors(TString &formula)
          // printf(" build a name %s \n",name.Data() );
          if (formula[i] == '(') {
             i++;
-            if (formula[i] == ')') {
+            if (i < formula.Length() && formula[i] == ')') {
                fFuncs.push_back(TFormulaFunction(name, body, 0));
                name = body = "";
                continue;
@@ -3622,8 +3622,8 @@ TString TFormula::GetExpFormula(Option_t *option) const
          // look for p[number
          if (clingFormula[i] == 'p' && clingFormula[i+1] == '[' && isdigit(clingFormula[i+2]) ) {
             int j = i+3;
-            while ( isdigit(clingFormula[j]) ) { j++;}
-            if (clingFormula[j] != ']') {
+            while ( j < clingFormula.Length() && isdigit(clingFormula[j]) ) { j++;}
+            if ( j >= clingFormula.Length() || clingFormula[j] != ']') {
                Error("GetExpFormula","Parameters not found - invalid expression - return default cling formula");
                return clingFormula;
             }
@@ -3647,8 +3647,8 @@ TString TFormula::GetExpFormula(Option_t *option) const
          // look for [parName]
          if (expFormula[i] == '[') {
             int j = i+1;
-            while ( expFormula[j] != ']' ) { j++;}
-            if (expFormula[j] != ']') {
+            while ( j < expFormula.Length() && expFormula[j] != ']' ) { j++;}
+            if ( j >= expFormula.Length() || expFormula[j] != ']') {
                Error("GetExpFormula","Parameter names not found - invalid expression - return default formula");
                return expFormula;
             }
