Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bounds access in mhash #13

Open
rtsisyk opened this issue Jan 31, 2017 · 0 comments
Open

Out of bounds access in mhash #13

rtsisyk opened this issue Jan 31, 2017 · 0 comments
Assignees
@alyapunov
Labels
bug Something isn't working
Milestone
wishlist

Comments

@rtsisyk
Copy link
Contributor

rtsisyk commented Jan 31, 2017

Found by Coverity:

507int
508_mh(start_resize)(struct _mh(t) *h, mh_int_t buckets, mh_int_t batch,
509                  mh_arg_t arg)
510{
   1. Condition h->resize_position, taking false branch.
511        if (h->resize_position) {
512                /* resize has already been started */
513                return 0;
514        }
   2. Condition buckets < h->n_buckets, taking false branch.
515        if (buckets < h->n_buckets) {
516                /* hash size is already greater than requested */
517                return 0;
518        }
   3. Condition h->prime < 31, taking true branch.
   6. Condition h->prime < 31, taking true branch.
   9. Condition h->prime < 31, taking false branch.
   10. cond_const: Checking h->prime < 31U implies that h->prime is 31 on the false branch.
519        while (h->prime < __ac_HASH_PRIME_SIZE) {
   4. Condition __ac_prime_list[h->prime] >= buckets, taking false branch.
   7. Condition __ac_prime_list[h->prime] >= buckets, taking false branch.
520                if (__ac_prime_list[h->prime] >= buckets)
521                        break;
522                h->prime += 1;
   5. Jumping back to the beginning of the loop.
   8. Jumping back to the beginning of the loop.
523        }
524
   11. Condition batch > 0, taking true branch.
525        h->batch = batch > 0 ? batch : h->n_buckets / (256 * 1024);
   12. Condition h->batch < 256, taking true branch.
526        if (h->batch < 256) {
527                /*
528                 * Minimal batch must be greater or equal to
529                 * 1 / (1 - f), where f is upper bound percent
530                 * = MH_DENSITY
531                 */
532                h->batch = 256;
533        }
534
535        struct _mh(t) *s = h->shadow;
536        memcpy(s, h, sizeof(*h));
537        s->resize_position = 0;
   CID 1398773: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398793: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398769: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398780: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398776: Out-of-bounds read (OVERRUN) [select issue]
   CID 1398762 (#1 of 1): Out-of-bounds read (OVERRUN)13. overrun-local: Overrunning array __ac_prime_list of 31 4-byte elements at element index 31 (byte offset 124) using index h->prime (which evaluates to 31).
538        s->n_buckets = __ac_prime_list[h->prime];
539        s->upper_bound = s->n_buckets * MH_DENSITY;
540        s->n_dirty = 0;
541        s->size = 0;
542        s->p = (mh_node_t *) malloc(s->n_buckets * sizeof(mh_node_t));
@rtsisyk rtsisyk added the bug Something isn't working label Jan 31, 2017
@kyukhin kyukhin added this to the wishlist milestone Oct 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alyapunov alyapunov

Labels
bug Something isn't working
Projects
None yet
Milestone
wishlist
Development

No branches or pull requests
3 participants
@rtsisyk @alyapunov @kyukhin