On 12/13/2014 03:18 PM, Mark Wielaard wrote: > On Thu, Dec 11, 2014 at 05:34:06PM -0800, Josh Stone wrote: >> BTW, I want to point out this change in compare_lines: >> >>> - return (*p1)->addr - (*p2)->addr; >> [...] >>> + if (line1->addr != line2->addr) >>> + return (line1->addr < line2->addr) ? -1 : 1; >> >> Since addr is 64-bit unsigned, and comparison functions return int, it >> is possible for the difference to be so large that it wraps around. You >> only need INT_MAX or more -- which probably doesn't happen often in ELF >> files, but it's plausible. >> >> It might be worth auditing other qsort/tsearch comparison functions for >> similar wrapping possibilities. > > I think you are right. I looked over all compare functions and two didn't > do as you suggest. The attached patch fixes those. Do that look correct?
Those look good. I think src/elfcmp.c compare_Elf32_Word() is also wrong, as big u32 values could wrap int subtraction. I didn't find any others. Josh
