Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Nov 2020 18:41:50 +0000 (UTC)
From:      Mitchell Horne <mhorne@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r367734 - head/usr.bin/bsdiff/bsdiff
Message-ID:  <202011161841.0AGIfo9f069763@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: mhorne
Date: Mon Nov 16 18:41:49 2020
New Revision: 367734
URL: https://svnweb.freebsd.org/changeset/base/367734

Log:
  bsdiff: fix off-by-one error
  
  The program reads oldsize bytes from oldfile, and proceeds to initialize
  a suffix array of oldsize elements using divsufsort(). As per the
  function's API [1], array indices 0 through n-1 are initialized.
  
  Later, search() is called, but with index bounds [0, n]. Depending on
  the contents of the malloc'd buffer, accessing this uninitialized index
  at the end of can result in a segmentation fault. Fix this by passing
  oldsize-1 to search(), limiting the search bounds to [0, n-1].
  
  This bug is a result of r303285, which introduced divsufsort() as an
  alternate suffix sorting function to the existing qsufsort(). It seems
  that qsufsort() did initialize the final empty element, meaning it could
  be safely accessed. This difference in the implementations was missed at
  the time.
  
  [1] https://github.com/y-256/libdivsufsort
  
  Discussed with:	cperciva
  MFC after:	1 week
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D26911

Modified:
  head/usr.bin/bsdiff/bsdiff/bsdiff.c

Modified: head/usr.bin/bsdiff/bsdiff/bsdiff.c
==============================================================================
--- head/usr.bin/bsdiff/bsdiff/bsdiff.c	Mon Nov 16 17:56:58 2020	(r367733)
+++ head/usr.bin/bsdiff/bsdiff/bsdiff.c	Mon Nov 16 18:41:49 2020	(r367734)
@@ -212,7 +212,7 @@ int main(int argc,char *argv[])
 
 		for(scsc=scan+=len;scan<newsize;scan++) {
 			len=search(I,old,oldsize,new+scan,newsize-scan,
-					0,oldsize,&pos);
+					0,oldsize-1,&pos);
 
 			for(;scsc<scan+len;scsc++)
 			if((scsc+lastoffset<oldsize) &&

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011161841.0AGIfo9f069763>