Hi,

Current bounds copy algorithm has a bug which causes overflow
in a specific case when there are no bounds to copy.  Patch
was regtested and bootstrapped for x86_64-unknown-linux-gnu.

I'm going to apply it to trunk and gcc-6-branch.

Thanks,
Ilya
--
libmpx/

2016-06-10  Ilya Enkovich  <ilya.enkov...@intel.com>

        * mpxwrap/mpx_wrappers.c (move_bounds): Fix overflow bug.


diff --git a/libmpx/mpxwrap/mpx_wrappers.c b/libmpx/mpxwrap/mpx_wrappers.c
index d4c83ef..171a780 100644
--- a/libmpx/mpxwrap/mpx_wrappers.c
+++ b/libmpx/mpxwrap/mpx_wrappers.c
@@ -27,6 +27,7 @@
 #include "string.h"
 #include <sys/mman.h>
 #include <stdint.h>
+#include <assert.h>
 #include "mpxrt/mpxrt.h"
 
 void *
@@ -418,7 +419,16 @@ move_bounds (void *dst, const void *src, size_t n)
           else
             elems_to_copy -= src_bt_index_end + 1;
         }
-      src_bd_index_end--;
+      /* Go to previous table but beware of overflow.
+        We should have copied all required element
+        in case src_bd_index_end is 0.  */
+      if (src_bd_index_end)
+       src_bd_index_end--;
+      else
+       {
+         assert (!elems_to_copy);
+         return;
+       }
       /* For each bounds table we check if there are valid pointers inside.
          If there are some, we copy table in pre-counted portions.  */
       for (; src_bd_index_end > src_bd_index; src_bd_index_end--)

Reply via email to