svn commit: r367734 - head/usr.bin/bsdiff/bsdiff
Mitchell Horne
mhorne at FreeBSD.org
Mon Nov 16 18:41:50 UTC 2020
Author: mhorne
Date: Mon Nov 16 18:41:49 2020
New Revision: 367734
URL: https://svnweb.freebsd.org/changeset/base/367734
Log:
bsdiff: fix off-by-one error
The program reads oldsize bytes from oldfile, and proceeds to initialize
a suffix array of oldsize elements using divsufsort(). As per the
function's API [1], array indices 0 through n-1 are initialized.
Later, search() is called, but with index bounds [0, n]. Depending on
the contents of the malloc'd buffer, accessing this uninitialized index
at the end of can result in a segmentation fault. Fix this by passing
oldsize-1 to search(), limiting the search bounds to [0, n-1].
This bug is a result of r303285, which introduced divsufsort() as an
alternate suffix sorting function to the existing qsufsort(). It seems
that qsufsort() did initialize the final empty element, meaning it could
be safely accessed. This difference in the implementations was missed at
the time.
[1] https://github.com/y-256/libdivsufsort
Discussed with: cperciva
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D26911
Modified:
head/usr.bin/bsdiff/bsdiff/bsdiff.c
Modified: head/usr.bin/bsdiff/bsdiff/bsdiff.c
==============================================================================
--- head/usr.bin/bsdiff/bsdiff/bsdiff.c Mon Nov 16 17:56:58 2020 (r367733)
+++ head/usr.bin/bsdiff/bsdiff/bsdiff.c Mon Nov 16 18:41:49 2020 (r367734)
@@ -212,7 +212,7 @@ int main(int argc,char *argv[])
for(scsc=scan+=len;scan<newsize;scan++) {
len=search(I,old,oldsize,new+scan,newsize-scan,
- 0,oldsize,&pos);
+ 0,oldsize-1,&pos);
for(;scsc<scan+len;scsc++)
if((scsc+lastoffset<oldsize) &&
More information about the svn-src-all
mailing list