bsdiff: fix off-by-one error
ClosedPublic
Actions

Authored by mhorne on Oct 22 2020, 8:13 PM.

Details

Reviewers

cperciva
emaste

Commits

rS367734: bsdiff: fix off-by-one error

Summary

The program reads oldsize bytes from oldfile, and proceeds to initialize
a suffix array of oldsize elements using divsufsort(). As per the
function's API [1], array indices 0 through n-1 are initialized.

Later, search() is called, but with index bounds [0, n]. Depending on
the contents of the malloc'd buffer, accessing this uninitialized index
at the end of can result in a segmentation fault. Fix this by passing
oldsize-1 to search(), making the search bounds [0, n-1].

[1] https://github.com/y-256/libdivsufsort

Test Plan

This fixes the segfault I experienced at the end of building an update, on arm64.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

mhorne requested review of this revision.Oct 22 2020, 8:13 PM

mhorne created this revision.

Harbormaster completed remote builds in B34329: Diff 78618.Oct 22 2020, 8:13 PM

Looks good to me. This is a bug introduced in r303285; the original qsufsort sorted oldsize+1 strings including an implicit empty string, but it looks like the divsufsort which replaced it doesn't do this.

This revision was not accepted when it landed; it landed in state Needs Review.Nov 16 2020, 6:42 PM

Closed by commit rS367734: bsdiff: fix off-by-one error (authored by mhorne). · Explain Why

This revision was automatically updated to reflect the committed changes.

mhorne added a commit: rS367734: bsdiff: fix off-by-one error.

Herald added a subscriber: imp. · View Herald TranscriptNov 16 2020, 6:42 PM