On 10/04/2012 05:23, Marvin Humphrey wrote:
On Sat, Apr 7, 2012 at 4:42 AM,<[email protected]> wrote:
Author: nwellnhof
Date: Sat Apr 7 11:42:39 2012
New Revision: 1310742
URL: http://svn.apache.org/viewvc?rev=1310742&view=rev
Log:
Add index check in quicksort code
A buggy or malicious compare function could make us go past the end of the
input buffer.
--- lucy/trunk/core/Lucy/Util/SortUtils.c (original)
+++ lucy/trunk/core/Lucy/Util/SortUtils.c Sat Apr 7 11:42:39 2012
@@ -302,6 +302,7 @@ S_qsort4(FOUR_BYTE_TYPE *elems, int32_t
i++;
comparison1 = compare(context, elems + i, pivot);
if (comparison1>= 0) { break; }
+ if (i == right) { break; }
}
This probably wasn't obvious, but when (i == right), that's the "pivot"
element. Therefore, the comparison routine is comparing "pivot" against
itself.
If compare(pivot, pivot) returns anything other than 0, we've got big
problems.
That's what happened with Integer64s.
I don't think it's in our interest to hide such an error -- better
to learn about it as quickly as possible by running off the end of the array
and segfaulting.
Well, the compare function can be supplied by the user, and I'd prefer
that we never segfault on bogus user input.
Nick
