Package: patch
Version: 2.6-2
Severity: normal
Hi,
thanks for maintaining the patch package.
While trying to track down an entirely different bug in Ubuntu, I stumbled upon
[1]. Rebuilding "patch" together with the attached patch to assert on
out-of-bounds accesses results in assertion failures in the test case.
Hence I assume that the array fd in bestmatch.h might be accessed out of the
define bounds when using --merge.
In case I stumble upon a fix, I'll let you know (however the code isn't trivial
at least for me, so don't count on that.).
Please also tell me, if I'm horrible wrong, which might as well be the case.
Cheers,
Stefan.
[1]: <https://bugs.launchpad.net/ubuntu/+source/patch/+bug/534459>
-- System Information:
Debian Release: squeeze/sid
APT prefers lucid-updates
APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-15-generic (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages patch depends on:
ii libc6 2.11.1-0ubuntu4 Embedded GNU C Library: Shared lib
patch recommends no packages.
Versions of packages patch suggests:
pn diffutils-doc <none> (no description available)
ii ed 1.4-1build1 The classic UNIX line editor
-- no debconf information
--- patch-2.6.orig/src/bestmatch.h
+++ patch-2.6/src/bestmatch.h
@@ -52,6 +52,8 @@
* search.
*/
+#include <assert.h>
+
OFFSET
bestmatch(OFFSET xoff, OFFSET xlim, OFFSET yoff, OFFSET ylim,
OFFSET min, OFFSET max, OFFSET *py)
@@ -113,14 +115,20 @@
{
OFFSET d;
- if (fmin > dmin)
+ if (fmin > dmin) {
+ assert(fmin -2 >= 0);
+ assert(fmin -2 < sizeof(fd) / sizeof(fd[0]));
fd[--fmin - 1] = -1;
- else
+ } else {
++fmin;
- if (fmax < dmax)
+ }
+ if (fmax < dmax) {
+ assert(fmax +2 >= 0);
+ assert(fmax +2 < sizeof(fd) / sizeof(fd[0]));
fd[++fmax + 1] = -1;
- else
+ } else {
--fmax;
+ }
for (d = fmax; d >= fmin; d -= 2)
{
OFFSET x, y;
