The branch main has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=7ee1bdd094d376fdc547e8ca33e472f1d37a7d79
commit 7ee1bdd094d376fdc547e8ca33e472f1d37a7d79
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2025-03-10 03:00:42 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2025-03-10 03:00:42 +0000
libdtrace: Fix an off-by-one in the priority queue implementation
The zero'th index in the array is unused, so a priority queue of N elements
needs N+1 array slots. Fix the allocation.
Also fix the assertion in dt_pq_insert(): the assertion needs to be checked
after incrementing the count of items in the priority queue, otherwise it
can
miss an overflow.
Reported by: CHERI
MFC after: 2 weeks
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D49242
---
cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c
b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c
index 0cd556abd8f5..ffbac8b6ea1e 100644
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c
@@ -37,7 +37,7 @@ dt_pq_init(dtrace_hdl_t *dtp, uint_t size, dt_pq_value_f
value_cb, void *cb_arg)
if ((p = dt_zalloc(dtp, sizeof (dt_pq_t))) == NULL)
return (NULL);
- p->dtpq_items = dt_zalloc(dtp, size * sizeof (p->dtpq_items[0]));
+ p->dtpq_items = dt_zalloc(dtp, (size + 1) * sizeof (p->dtpq_items[0]));
if (p->dtpq_items == NULL) {
dt_free(dtp, p);
return (NULL);
@@ -73,9 +73,9 @@ dt_pq_insert(dt_pq_t *p, void *item)
{
uint_t i;
- assert(p->dtpq_last < p->dtpq_size);
-
i = p->dtpq_last++;
+ assert(i <= p->dtpq_size);
+
p->dtpq_items[i] = item;
while (i > 1 && dt_pq_getvalue(p, i) < dt_pq_getvalue(p, i / 2)) {
