From 418ec3008614d15b674e5524e2a0cd9d51aede4a Mon Sep 17 00:00:00 2001
From: Shahram Najm <masn@ecmwf.int>
Date: Thu, 15 Dec 2022 14:07:03 +0000
Subject: [PATCH] ECC-1494: Segmentation fault: 'grib_ls -p values' on several
 test GRIBs

---
 ...cessor_class_data_g1second_order_general_extended_packing.c | 3 +++
 src/grib_accessor_class_data_g1second_order_general_packing.c  | 3 +++
 ...rib_accessor_class_data_g1second_order_row_by_row_packing.c | 3 +++
 src/grib_accessor_class_data_g22order_packing.c                | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/src/grib_accessor_class_data_g1second_order_general_extended_packing.c b/src/grib_accessor_class_data_g1second_order_general_extended_packing.c
index 5c7f3a1bc..b39a32ac2 100644
--- a/src/grib_accessor_class_data_g1second_order_general_extended_packing.c
+++ b/src/grib_accessor_class_data_g1second_order_general_extended_packing.c
@@ -409,6 +409,9 @@ static int unpack_double(grib_accessor* a, double* values, size_t* len)
     if (ret)
         return ret;
 
+    if (*len < (size_t)numberOfValues)
+        return GRIB_ARRAY_TOO_SMALL;
+
     if ((ret = grib_get_long_internal(handle, self->numberOfGroups, &numberOfGroups)) != GRIB_SUCCESS)
         return ret;
 
diff --git a/src/grib_accessor_class_data_g1second_order_general_packing.c b/src/grib_accessor_class_data_g1second_order_general_packing.c
index eaeefa925..7f8d7892e 100644
--- a/src/grib_accessor_class_data_g1second_order_general_packing.c
+++ b/src/grib_accessor_class_data_g1second_order_general_packing.c
@@ -260,6 +260,9 @@ static int unpack_double(grib_accessor* a, double* values, size_t* len)
                                       &numberOfSecondOrderPackedValues)) != GRIB_SUCCESS)
         return ret;
 
+    if (*len < (size_t)numberOfSecondOrderPackedValues)
+        return GRIB_ARRAY_TOO_SMALL;
+
     groupWidths     = (long*)grib_context_malloc_clear(a->context, sizeof(long) * numberOfGroups);
     groupWidthsSize = numberOfGroups;
     if ((ret = grib_get_long_array_internal(grib_handle_of_accessor(a), self->groupWidths, groupWidths, &groupWidthsSize)) != GRIB_SUCCESS)
diff --git a/src/grib_accessor_class_data_g1second_order_row_by_row_packing.c b/src/grib_accessor_class_data_g1second_order_row_by_row_packing.c
index 99e4b0514..9f4401b32 100644
--- a/src/grib_accessor_class_data_g1second_order_row_by_row_packing.c
+++ b/src/grib_accessor_class_data_g1second_order_row_by_row_packing.c
@@ -411,6 +411,9 @@ static int unpack_double(grib_accessor* a, double* values, size_t* len)
     for (i = 0; i < numberOfGroups; i++)
         n += numbersPerRow[i];
 
+    if (*len < (size_t)n)
+        return GRIB_ARRAY_TOO_SMALL;
+
     X = (long*)grib_context_malloc_clear(a->context, sizeof(long) * n);
     n = 0;
     k = 0;
diff --git a/src/grib_accessor_class_data_g22order_packing.c b/src/grib_accessor_class_data_g22order_packing.c
index b92ebcba4..7220f42a6 100644
--- a/src/grib_accessor_class_data_g22order_packing.c
+++ b/src/grib_accessor_class_data_g22order_packing.c
@@ -501,6 +501,9 @@ static int unpack_double(grib_accessor* a, double* val, size_t* len)
     if (err)
         return err;
 
+    if (*len < (size_t)n_vals)
+        return GRIB_ARRAY_TOO_SMALL;
+
     if ((err = grib_get_long_internal(gh, self->bits_per_value, &bits_per_value)) != GRIB_SUCCESS)
         return err;
     if ((err = grib_get_double_internal(gh, self->reference_value, &reference_value)) != GRIB_SUCCESS)