Page MenuHomeFreeBSD

bsdiff: fix off-by-one error
ClosedPublic

Authored by mhorne on Oct 22 2020, 8:13 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 3, 11:31 AM
Unknown Object (File)
Tue, Sep 30, 1:31 AM
Unknown Object (File)
Sun, Sep 14, 12:45 PM
Unknown Object (File)
Sep 10 2025, 11:50 AM
Unknown Object (File)
Sep 10 2025, 9:17 AM
Unknown Object (File)
Sep 7 2025, 1:40 AM
Unknown Object (File)
Sep 7 2025, 12:56 AM
Unknown Object (File)
Sep 7 2025, 12:55 AM
Subscribers

Details

Summary

The program reads oldsize bytes from oldfile, and proceeds to initialize
a suffix array of oldsize elements using divsufsort(). As per the
function's API [1], array indices 0 through n-1 are initialized.

Later, search() is called, but with index bounds [0, n]. Depending on
the contents of the malloc'd buffer, accessing this uninitialized index
at the end of can result in a segmentation fault. Fix this by passing
oldsize-1 to search(), making the search bounds [0, n-1].

[1] https://github.com/y-256/libdivsufsort

Test Plan

This fixes the segfault I experienced at the end of building an update, on arm64.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

mhorne created this revision.

Looks good to me. This is a bug introduced in r303285; the original qsufsort sorted oldsize+1 strings including an implicit empty string, but it looks like the divsufsort which replaced it doesn't do this.

This revision was not accepted when it landed; it landed in state Needs Review.Nov 16 2020, 6:42 PM
Closed by commit rS367734: bsdiff: fix off-by-one error (authored by mhorne). · Explain Why
This revision was automatically updated to reflect the committed changes.