Hi,
Current bounds copy algorithm has a bug which causes overflow
in a specific case when there are no bounds to copy. Patch
was regtested and bootstrapped for x86_64-unknown-linux-gnu.
I'm going to apply it to trunk and gcc-6-branch.
Thanks,
Ilya
--
libmpx/
2016-06-10 Ilya Enkovich <ilya.enkov...@intel.com>
* mpxwrap/mpx_wrappers.c (move_bounds): Fix overflow bug.
diff --git a/libmpx/mpxwrap/mpx_wrappers.c b/libmpx/mpxwrap/mpx_wrappers.c
index d4c83ef..171a780 100644
--- a/libmpx/mpxwrap/mpx_wrappers.c
+++ b/libmpx/mpxwrap/mpx_wrappers.c
@@ -27,6 +27,7 @@
#include "string.h"
#include <sys/mman.h>
#include <stdint.h>
+#include <assert.h>
#include "mpxrt/mpxrt.h"
void *
@@ -418,7 +419,16 @@ move_bounds (void *dst, const void *src, size_t n)
else
elems_to_copy -= src_bt_index_end + 1;
}
- src_bd_index_end--;
+ /* Go to previous table but beware of overflow.
+ We should have copied all required element
+ in case src_bd_index_end is 0. */
+ if (src_bd_index_end)
+ src_bd_index_end--;
+ else
+ {
+ assert (!elems_to_copy);
+ return;
+ }
/* For each bounds table we check if there are valid pointers inside.
If there are some, we copy table in pre-counted portions. */
for (; src_bd_index_end > src_bd_index; src_bd_index_end--)
