FreeBSD Bugzilla – Attachment 180381 Details for
Bug 213922
crafted data could cause qsort to exhaust stack space
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Diff from pull request
123 (text/plain), 3.58 KB, created by
Warner Losh
on 2017-03-01 06:18:17 UTC
(
hide
)
Description:
Diff from pull request
Filename:
MIME Type:
Creator:
Warner Losh
Created:
2017-03-01 06:18:17 UTC
Size:
3.58 KB
patch
obsolete
>diff --git a/crypto/heimdal/lib/roken/qsort.c b/crypto/heimdal/lib/roken/qsort.c >index 768981334f2..1d3c18973e6 100644 >--- a/crypto/heimdal/lib/roken/qsort.c >+++ b/crypto/heimdal/lib/roken/qsort.c >@@ -185,19 +185,35 @@ loop: SWAPINIT(a, es); > vecswap(a, pb - r, r); > r = min(pd - pc, pn - pd - es); > vecswap(pb, pn - r, r); >- if ((r = pb - pa) > es) >+ if ((pb - pa) < (pd - pc)) { >+ if ((r = pb - pa) > es) > #ifdef I_AM_QSORT_R >- rk_qsort_r(a, r / es, es, thunk, cmp); >+ rk_qsort_r(a, r / es, es, thunk, cmp); > #else >- rk_qsort(a, r / es, es, cmp); >+ rk_qsort(a, r / es, es, cmp); > #endif >- if ((r = pd - pc) > es) { >- /* Iterate rather than recurse to save stack space */ >- a = pn - r; >- n = r / es; >- goto loop; >+ if ((r = pd - pc) > es) { >+ /* Iterate rather than recurse to save stack space */ >+ a = pn - r; >+ n = r / es; >+ goto loop; >+ } >+/* rk_qsort(pn - r, r / es, es, cmp);*/ >+ } else { >+ if ((r = pd - pc) > es) >+#ifdef I_AM_QSORT_R >+ rk_qsort_r(pn - r, r / es, es, thunk, cmp); >+#else >+ rk_qsort(pn - r, r / es, es, cmp); >+#endif >+ if ((r = pb - pa) > es) { >+ /* Iterate rather than recurse to save stack space */ >+ /* a = a; */ >+ n = r / es; >+ goto loop; >+ } >+/* rk_qsort(a, r / es, es, cmp);*/ > } >-/* rk_qsort(pn - r, r / es, es, cmp);*/ > } > > #endif /* NEED_QSORT */ >diff --git a/lib/libc/stdlib/qsort.c b/lib/libc/stdlib/qsort.c >index 08816887cf7..b7d188c3237 100644 >--- a/lib/libc/stdlib/qsort.c >+++ b/lib/libc/stdlib/qsort.c >@@ -186,17 +186,33 @@ loop: SWAPINIT(long, a, es); > vecswap(a, pb - r, r); > r = MIN(pd - pc, pn - pd - es); > vecswap(pb, pn - r, r); >- if ((r = pb - pa) > es) >+ if ((pb - pa) < (pd - pc)) { >+ if ((r = pb - pa) > es) > #ifdef I_AM_QSORT_R >- qsort_r(a, r / es, es, thunk, cmp); >+ qsort_r(a, r / es, es, thunk, cmp); > #else >- qsort(a, r / es, es, cmp); >+ qsort(a, r / es, es, cmp); > #endif >- if ((r = pd - pc) > es) { >- /* Iterate rather than recurse to save stack space */ >- a = pn - r; >- n = r / es; >- goto loop; >+ if ((r = pd - pc) > es) { >+ /* Iterate rather than recurse to save stack space */ >+ a = pn - r; >+ n = r / es; >+ goto loop; >+ } >+/* qsort(pn - r, r / es, es, cmp);*/ >+ } else { >+ if ((r = pd - pc) > es) >+#ifdef I_AM_QSORT_R >+ qsort_r(pn - r, r / es, es, thunk, cmp); >+#else >+ qsort(pn - r, r / es, es, cmp); >+#endif >+ if ((r = pb - pa) > es) { >+ /* Iterate rather than recurse to save stack space */ >+ /* a = a; */ >+ n = r / es; >+ goto loop; >+ } >+/* qsort(a, r / es, es, cmp);*/ > } >-/* qsort(pn - r, r / es, es, cmp);*/ > } >diff --git a/sys/libkern/qsort.c b/sys/libkern/qsort.c >index bb0baee73c9..3ec5d45da43 100644 >--- a/sys/libkern/qsort.c >+++ b/sys/libkern/qsort.c >@@ -171,16 +171,31 @@ loop: SWAPINIT(a, es); > vecswap(a, pb - r, r); > r = min(pd - pc, pn - pd - es); > vecswap(pb, pn - r, r); >- if ((r = pb - pa) > es) >+ if ((pb - pa) < (pd - pc)) { >+ if ((r = pb - pa) > es) > #ifdef I_AM_QSORT_R >- qsort_r(a, r / es, es, thunk, cmp); >+ qsort_r(a, r / es, es, thunk, cmp); > #else >- qsort(a, r / es, es, cmp); >+ qsort(a, r / es, es, cmp); > #endif >- if ((r = pd - pc) > es) { >- /* Iterate rather than recurse to save stack space */ >- a = pn - r; >- n = r / es; >- goto loop; >+ if ((r = pd - pc) > es) { >+ /* Iterate rather than recurse to save stack space */ >+ a = pn - r; >+ n = r / es; >+ goto loop; >+ } >+ } else { >+ if ((r = pd - pc) > es) >+#ifdef I_AM_QSORT_R >+ qsort_r(pn - r, r / es, es, thunk, cmp); >+#else >+ qsort(pn - r, r / es, es, cmp); >+#endif >+ if ((r = pb - pa) > es) { >+ /* Iterate rather than recurse to save stack space */ >+ /* a = a; */ >+ n = r / es; >+ goto loop; >+ } > } > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=180381">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 213922
: 180381