On Sat, Apr 7, 2012 at 4:42 AM, <[email protected]> wrote:
> Author: nwellnhof
> Date: Sat Apr 7 11:42:39 2012
> New Revision: 1310742
>
> URL: http://svn.apache.org/viewvc?rev=1310742&view=rev
> Log:
> Add index check in quicksort code
>
> A buggy or malicious compare function could make us go past the end of the
> input buffer.
> --- lucy/trunk/core/Lucy/Util/SortUtils.c (original)
> +++ lucy/trunk/core/Lucy/Util/SortUtils.c Sat Apr 7 11:42:39 2012
> @@ -302,6 +302,7 @@ S_qsort4(FOUR_BYTE_TYPE *elems, int32_t
> i++;
> comparison1 = compare(context, elems + i, pivot);
> if (comparison1 >= 0) { break; }
> + if (i == right) { break; }
> }
This probably wasn't obvious, but when (i == right), that's the "pivot"
element. Therefore, the comparison routine is comparing "pivot" against
itself.
If compare(pivot, pivot) returns anything other than 0, we've got big
problems. I don't think it's in our interest to hide such an error -- better
to learn about it as quickly as possible by running off the end of the array
and segfaulting.
I also think we should try hard not to make the SortUtils.c code any more
complex than it already is. (I'd love to see us consolidate the "four-byte"
and "eight-byte" sections down to one.)
Marvin Humphrey
