Out of bounds access in mhash

[rtsisyk]

Found by Coverity:

507int
508_mh(start_resize)(struct _mh(t) *h, mh_int_t buckets, mh_int_t batch,
509                  mh_arg_t arg)
510{
   1. Condition h->resize_position, taking false branch.
511        if (h->resize_position) {
512                /* resize has already been started */
513                return 0;
514        }
   2. Condition buckets < h->n_buckets, taking false branch.
515        if (buckets < h->n_buckets) {
516                /* hash size is already greater than requested */
517                return 0;
518        }
   3. Condition h->prime < 31, taking true branch.
   6. Condition h->prime < 31, taking true branch.
   9. Condition h->prime < 31, taking false branch.
   10. cond_const: Checking h->prime < 31U implies that h->prime is 31 on the false branch.
519        while (h->prime < __ac_HASH_PRIME_SIZE) {
   4. Condition __ac_prime_list[h->prime] >= buckets, taking false branch.
   7. Condition __ac_prime_list[h->prime] >= buckets, taking false branch.
520                if (__ac_prime_list[h->prime] >= buckets)
521                        break;
522                h->prime += 1;
   5. Jumping back to the beginning of the loop.
   8. Jumping back to the beginning of the loop.
523        }
524
   11. Condition batch > 0, taking true branch.
525        h->batch = batch > 0 ? batch : h->n_buckets / (256 * 1024);
   12. Condition h->batch < 256, taking true branch.
526        if (h->batch < 256) {
527                /*
528                 * Minimal batch must be greater or equal to
529                 * 1 / (1 - f), where f is upper bound percent
530                 * = MH_DENSITY
531                 */
532                h->batch = 256;
533        }
534
535        struct _mh(t) *s = h->shadow;
536        memcpy(s, h, sizeof(*h));
537        s->resize_position = 0;
   CID 1398773: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398793: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398769: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398780: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398776: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398762 (#1 of 1): Out-of-bounds read (OVERRUN)13. overrun-local: Overrunning array __ac_prime_list of 31 4-byte elements at element index 31 (byte offset 124) using index h->prime (which evaluates to 31).
538        s->n_buckets = __ac_prime_list[h->prime];
539        s->upper_bound = s->n_buckets * MH_DENSITY;
540        s->n_dirty = 0;
541        s->size = 0;
542        s->p = (mh_node_t *) malloc(s->n_buckets * sizeof(mh_node_t));