Date: Mon, 16 Nov 2020 18:41:50 +0000 (UTC) From: Mitchell Horne <mhorne@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r367734 - head/usr.bin/bsdiff/bsdiff Message-ID: <202011161841.0AGIfo9f069763@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mhorne Date: Mon Nov 16 18:41:49 2020 New Revision: 367734 URL: https://svnweb.freebsd.org/changeset/base/367734 Log: bsdiff: fix off-by-one error The program reads oldsize bytes from oldfile, and proceeds to initialize a suffix array of oldsize elements using divsufsort(). As per the function's API [1], array indices 0 through n-1 are initialized. Later, search() is called, but with index bounds [0, n]. Depending on the contents of the malloc'd buffer, accessing this uninitialized index at the end of can result in a segmentation fault. Fix this by passing oldsize-1 to search(), limiting the search bounds to [0, n-1]. This bug is a result of r303285, which introduced divsufsort() as an alternate suffix sorting function to the existing qsufsort(). It seems that qsufsort() did initialize the final empty element, meaning it could be safely accessed. This difference in the implementations was missed at the time. [1] https://github.com/y-256/libdivsufsort Discussed with: cperciva MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D26911 Modified: head/usr.bin/bsdiff/bsdiff/bsdiff.c Modified: head/usr.bin/bsdiff/bsdiff/bsdiff.c ============================================================================== --- head/usr.bin/bsdiff/bsdiff/bsdiff.c Mon Nov 16 17:56:58 2020 (r367733) +++ head/usr.bin/bsdiff/bsdiff/bsdiff.c Mon Nov 16 18:41:49 2020 (r367734) @@ -212,7 +212,7 @@ int main(int argc,char *argv[]) for(scsc=scan+=len;scan<newsize;scan++) { len=search(I,old,oldsize,new+scan,newsize-scan, - 0,oldsize,&pos); + 0,oldsize-1,&pos); for(;scsc<scan+len;scsc++) if((scsc+lastoffset<oldsize) &&
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011161841.0AGIfo9f069763>