From owner-svn-src-all@freebsd.org Mon Nov 16 18:41:50 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4EEC646DD5D; Mon, 16 Nov 2020 18:41:50 +0000 (UTC) (envelope-from mhorne@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CZdG61r8fz4SMJ; Mon, 16 Nov 2020 18:41:50 +0000 (UTC) (envelope-from mhorne@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 32260129BC; Mon, 16 Nov 2020 18:41:50 +0000 (UTC) (envelope-from mhorne@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0AGIfoDn069764; Mon, 16 Nov 2020 18:41:50 GMT (envelope-from mhorne@FreeBSD.org) Received: (from mhorne@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0AGIfo9f069763; Mon, 16 Nov 2020 18:41:50 GMT (envelope-from mhorne@FreeBSD.org) Message-Id: <202011161841.0AGIfo9f069763@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mhorne set sender to mhorne@FreeBSD.org using -f From: Mitchell Horne Date: Mon, 16 Nov 2020 18:41:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r367734 - head/usr.bin/bsdiff/bsdiff X-SVN-Group: head X-SVN-Commit-Author: mhorne X-SVN-Commit-Paths: head/usr.bin/bsdiff/bsdiff X-SVN-Commit-Revision: 367734 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2020 18:41:50 -0000 Author: mhorne Date: Mon Nov 16 18:41:49 2020 New Revision: 367734 URL: https://svnweb.freebsd.org/changeset/base/367734 Log: bsdiff: fix off-by-one error The program reads oldsize bytes from oldfile, and proceeds to initialize a suffix array of oldsize elements using divsufsort(). As per the function's API [1], array indices 0 through n-1 are initialized. Later, search() is called, but with index bounds [0, n]. Depending on the contents of the malloc'd buffer, accessing this uninitialized index at the end of can result in a segmentation fault. Fix this by passing oldsize-1 to search(), limiting the search bounds to [0, n-1]. This bug is a result of r303285, which introduced divsufsort() as an alternate suffix sorting function to the existing qsufsort(). It seems that qsufsort() did initialize the final empty element, meaning it could be safely accessed. This difference in the implementations was missed at the time. [1] https://github.com/y-256/libdivsufsort Discussed with: cperciva MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D26911 Modified: head/usr.bin/bsdiff/bsdiff/bsdiff.c Modified: head/usr.bin/bsdiff/bsdiff/bsdiff.c ============================================================================== --- head/usr.bin/bsdiff/bsdiff/bsdiff.c Mon Nov 16 17:56:58 2020 (r367733) +++ head/usr.bin/bsdiff/bsdiff/bsdiff.c Mon Nov 16 18:41:49 2020 (r367734) @@ -212,7 +212,7 @@ int main(int argc,char *argv[]) for(scsc=scan+=len;scan