This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/2753] Integer overflow in bsearch

From: "ulfalizer at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 13 Nov 2014 10:13:43 +0000
Subject: [Bug libc/2753] Integer overflow in bsearch
Auto-submitted: auto-generated
References: <bug-2753-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=2753

Ulf Magnusson <ulfalizer at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |ulfalizer at gmail dot com
         Resolution|WORKSFORME                  |---

--- Comment #5 from Ulf Magnusson <ulfalizer at gmail dot com> ---
For what it's worth, here's a test case that causes bsearch() to hang when
sizeof(size_t) == 4:


#include <stdlib.h>
#include <string.h>

#define LEN 0x80000001

static int compar(const void *a, const void *b) {
    return *(char*)a - *(char*)b;
}

int main() {
    char *arr = malloc(LEN), key = 1;
    memset(arr, 0, LEN);
    bsearch(&key, arr, LEN, 1, compar);
}


The bug could be fixed by replacing '__idx = (__l + __u) / 2' with '__idx = __l
+ (__u - __l)/2' in bits/stdlib-bsearch.h. I don't see a good reason not to.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]