Return-Path: Delivered-To: apmail-incubator-stdcxx-dev-archive@www.apache.org Received: (qmail 22076 invoked from network); 14 Sep 2007 16:44:48 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Sep 2007 16:44:48 -0000 Received: (qmail 60686 invoked by uid 500); 14 Sep 2007 16:44:41 -0000 Delivered-To: apmail-incubator-stdcxx-dev-archive@incubator.apache.org Received: (qmail 60677 invoked by uid 500); 14 Sep 2007 16:44:41 -0000 Mailing-List: contact stdcxx-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: stdcxx-dev@incubator.apache.org Delivered-To: mailing list stdcxx-dev@incubator.apache.org Received: (qmail 60666 invoked by uid 99); 14 Sep 2007 16:44:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Sep 2007 09:44:41 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Farid_Zaripov@epam.com designates 217.21.63.3 as permitted sender) Received: from [217.21.63.3] (HELO EPMSA009.epam.com) (217.21.63.3) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Sep 2007 16:44:39 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: [PATCH] potentially bug in __catfind(), catalog.cpp Date: Fri, 14 Sep 2007 19:44:15 +0300 Message-ID: <7BDB2168BEAEF14C98F1901FD2DE6438F57A6F@epmsa009.minsk.epam.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [PATCH] potentially bug in __catfind(), catalog.cpp Thread-Index: Acf27nvJGVesFm1JSFOpVQ6UBBYXPA== From: "Farid Zaripov" To: X-Virus-Checked: Checked by ClamAV on apache.org I'm not sure to name this as bug. Let's it be a potentially bug. Below is the __catfind() function from catalog,cpp file: CatVector::size_type __catfind(nl_catd id) { CatVector::size_type i =3D 0; while (i < __rw_catlist.size() && __rw_catlist[i] && __rw_catlist[i]->id() !=3D id) i++; if (!__rw_catlist[i]) return __rw_catlist.size(); return i; } =20 If this function will be invoked with invalid id when __rw_catlist vector is filled up, then after while loop i =3D=3D __rw_catlist.size() and we = get undefined behavior in "if (!__rw_catlist[i])" line. I propose to rewrite this function this way: CatVector::size_type __catfind(nl_catd id) { for (CatVector::size_type i =3D 0; i < __rw_catlist.size() && __rw_catlist[i]; ++i) if (__rw_catlist[i]->id() =3D=3D id) return i; =20 return __rw_catlist.size(); } =20 I can't write the regression test for this situation because the __catfind() is invoked in library always with valid id. And also I can't write the test which invokes __catfind() explicitly because of that function is inaccessible from user code. Here the patch: ChangeLog: * catalog.cpp (__catfind): Fixed potentially undefined behavior when __rw_catlist vector is full and id is not valid. Index: catalog.cpp =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- catalog.cpp (revision 575597) +++ catalog.cpp (working copy) @@ -71,12 +71,11 @@ =20 CatVector::size_type __catfind(nl_catd id) { - CatVector::size_type i =3D 0; - while (i < __rw_catlist.size() && __rw_catlist[i] && __rw_catlist[i]->id() !=3D id) - i++; - if (!__rw_catlist[i]) - return __rw_catlist.size(); - return i; + for (CatVector::size_type i =3D 0; i < __rw_catlist.size() && __rw_catlist[i]; ++i) + if (__rw_catlist[i]->id() =3D=3D id) + return i; + =20 + return __rw_catlist.size(); } =20 =20 =20 Farid.