Rev 4708: Fix a rare segmentation fault in the groupcompress code. in http://bazaar.launchpad.net/~jameinel/bzr/2.0-490228-gc-segfault

John Arbash Meinel john at arbash-meinel.com
Mon Dec 14 15:52:27 GMT 2009 

At http://bazaar.launchpad.net/~jameinel/bzr/2.0-490228-gc-segfault

------------------------------------------------------------
revno: 4708
revision-id: john at arbash-meinel.com-20091214155224-6av92htxukvp69jk
parent: pqm at pqm.ubuntu.com-20091202024309-7eblqn2luitz3tzs
committer: John Arbash Meinel <john at arbash-meinel.com>
branch nick: 2.0-490228-gc-segfault
timestamp: Mon 2009-12-14 09:52:24 -0600
message:
  Fix a rare segmentation fault in the groupcompress code.
  
  When finding the location to insert an entry in the hash map,
  we start by going to the next hash bucket, and walking backwards
  to find the last empty entry.
  The last entry in the hash table intentionally points to just
  after the actual entry table, so that we have an 'upper bound'.
  However, if the last actual bucket was full, this could cause
  us to check to see if the 'sentinal' value pointed to NULL,
  which isn't valid. If the memory allocator did not allocate
  extra bytes after then end of the entry table, this would
  access invalid memory and segfault.
  The fix is to change the if check to evaluate whether the current
  pointer is in the current bucket before we check to see whether
  it is empty. (Note that the double check *should* be redundant.)
-------------- next part --------------
=== modified file 'NEWS'
--- a/NEWS	2009-12-02 01:30:35 +0000
+++ b/NEWS	2009-12-14 15:52:24 +0000
@@ -27,6 +27,11 @@
 * Content filters are now applied correctly after pull, merge and switch.
   (Ian Clatworthy, #385879)
 
+* Fix a potential segfault in the groupcompress hash map handling code.
+  When inserting new entries, if the final hash bucket was empty, we could
+  end up trying to access if ``(last_entry+1)->ptr == NULL``.
+  (John Arbash Meinel, #490228)
+
 * Improve "Binary files differ" hunk handling.  (Aaron Bentley, #436325)
 
 Improvements

=== modified file 'bzrlib/diff-delta.c'
--- a/bzrlib/diff-delta.c	2009-08-03 16:54:36 +0000
+++ b/bzrlib/diff-delta.c	2009-12-14 15:52:24 +0000
@@ -804,8 +804,8 @@
             old_entry--;
         }
         old_entry++;
-        if (old_entry->ptr != NULL
-            || old_entry >= old_index->hash[hash_offset + 1]) {
+        if (old_entry >= old_index->hash[hash_offset + 1]
+            || old_entry->ptr != NULL) {
             /* There is no room for this entry, we have to resize */
             // char buff[128];
             // get_text(buff, entry->ptr);

More information about the bazaar-commits mailing list