Page MenuHomeFreeBSD

bsdiff: fix off-by-one error
ClosedPublic

Authored by mhorne on Oct 22 2020, 8:13 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jan 12, 3:55 AM
Unknown Object (File)
Fri, Jan 3, 9:14 PM
Unknown Object (File)
Wed, Jan 1, 11:19 AM
Unknown Object (File)
Tue, Dec 31, 11:51 AM
Unknown Object (File)
Mon, Dec 30, 11:54 AM
Unknown Object (File)
Sun, Dec 29, 11:53 AM
Unknown Object (File)
Sat, Dec 28, 12:02 PM
Unknown Object (File)
Fri, Dec 27, 4:05 AM
Subscribers

Details

Summary

The program reads oldsize bytes from oldfile, and proceeds to initialize
a suffix array of oldsize elements using divsufsort(). As per the
function's API [1], array indices 0 through n-1 are initialized.

Later, search() is called, but with index bounds [0, n]. Depending on
the contents of the malloc'd buffer, accessing this uninitialized index
at the end of can result in a segmentation fault. Fix this by passing
oldsize-1 to search(), making the search bounds [0, n-1].

[1] https://github.com/y-256/libdivsufsort

Test Plan

This fixes the segfault I experienced at the end of building an update, on arm64.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 34329
Build 31457: arc lint + arc unit

Event Timeline

mhorne created this revision.

Looks good to me. This is a bug introduced in r303285; the original qsufsort sorted oldsize+1 strings including an implicit empty string, but it looks like the divsufsort which replaced it doesn't do this.

This revision was not accepted when it landed; it landed in state Needs Review.Nov 16 2020, 6:42 PM
Closed by commit rS367734: bsdiff: fix off-by-one error (authored by mhorne). · Explain Why
This revision was automatically updated to reflect the committed changes.