From patchwork Thu Mar 16 15:49:08 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
X-Patchwork-Id: 19603
Received: (qmail 92517 invoked by alias); 16 Mar 2017 15:50:24 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 92433 invoked by uid 89); 16 Mar 2017 15:50:16 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.4 required=5.0 tests=BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM,
	SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:2594
X-HELO: mail-pg0-f65.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:references
	:mime-version:content-disposition:in-reply-to:user-agent;
	bh=VwktHUXpchAAi0F8NiH8uBrV5oSFNqhbmgKPIU8Kdos=;
	b=FVshgpOfHWNt2r7AmfKHYm3xIoV/gRcJ7GaCvDoJeC+tfFsT2UiQJMR1LCntOW9Qyy
	4OUmMEv79wzd8Xm1+6bbiP7vmdCxGAYX47yFUCRuHiAqGuBhENBDrRnvN+IR/Pkpe4eG
	hxVsRIiAtG1k1wwIy9ZkbuX+8xsKWqgYfyMemxuWXbGBhCkdH+RZkKWbOYjAhPnT8umY
	MjkJ31s3D062RZKPKQpCfnoewiyB/Dh33OKo92OXeKSmp8xpLKxWAy0iIJ/4Uaii8QBr
	SAk0odw3d8TLJUY2eEYGcw47woPlzZyhW3hNpgvMoeC33aCFtSdjQE/q+Nyl4m4LqVNT
	hMNQ==
X-Gm-Message-State: 
 AFeK/H0r1uhcyA8l2GYLx6OPffrX91R/JF9KIpHegBpkDzgLq/lwNWE/h9dBHEReiTNFvQ==
X-Received: by 10.98.196.221 with SMTP id h90mr11078263pfk.149.1489679413972;
	Thu, 16 Mar 2017 08:50:13 -0700 (PDT)
Date: Fri, 17 Mar 2017 00:49:08 +0900
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
To: Joseph Myers <joseph@codesourcery.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
	"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
	Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Subject: Re: [PATCH] stdlib-bsearch: middle element calculation may overflow
Message-ID: <20170316154908.GA575@tigerII.localdomain>
References: <20170316052615.7662-1-sergey.senozhatsky@gmail.com>
	<alpine.DEB.2.20.1703161401150.3566@digraph.polyomino.org.uk>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.20.1703161401150.3566@digraph.polyomino.org.uk>
User-Agent: Mutt/1.8.0 (2017-02-23)

Hi,

On (03/16/17 14:02), Joseph Myers wrote:
> If this fixes a user-visible bug then the ChangeLog entry needs to include 
> [BZ #N] referencing the bug filed in Bugzilla (and once the fix is in the 
> bug needs to be resolved as FIXED with appropriate target milestone set).  
> Is this bug 2753?  If not, a new bug would need to be filed for it.

a) um... I assume glibc Bugzilla is located at https://sourceware.org/bugzilla/
and 2753, thus, is https://sourceware.org/bugzilla/show_bug.cgi?id=2753
if so, then, yes looks like I'm not the first one to point that out.
I'm not sure I see Ulrich's "You do not even understand how binary
searching works, do you?  The sum can never exceed nmemb and nmemb
obviously fits into an size_t" point. it's a bug.


b) I guess I got the ChangeLog file format mostly right. well, not
entirely sure (does it have to be so complicated?  :) )


c) I don't think I see what the "target milestone" is even supposed
to mean. Sorry! glibc version? min glibc version that requires a
backport of this fix (if there are -stable/LTS glibc releases)? etc.
etc. etc.


---8<---8<----

From f4cbb4449cc8605ea5b223f2537b82224c8685e9 Mon Sep 17 00:00:00 2001
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Date: Fri, 17 Mar 2017 00:31:44 +0900
Subject: [PATCH] stdlib-bsearch: middle element calculation may overflow

Middle element calculation may overflow at '__l + __u' when
__l and __u are large enough. Use distance between __u and
__l instead.

	[BZ #2753]
	* bits/stdlib-bsearch.h: Fix integer overflow.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
---
 ChangeLog             | 5 +++++
 bits/stdlib-bsearch.h | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index e0acd7d0c4..7142794922 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-17 Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+
+	[BZ #2753]
+	* bits/stdlib-bsearch.h: Fix integer overflow.
+
 2017-03-10  Stefan Liebler  <stli@linux.vnet.ibm.com>
 
 	* math/auto-libm-test-out-catan: Regenerated.
diff --git a/bits/stdlib-bsearch.h b/bits/stdlib-bsearch.h
index eb145381fd..5fd8a8b607 100644
--- a/bits/stdlib-bsearch.h
+++ b/bits/stdlib-bsearch.h
@@ -28,7 +28,7 @@ bsearch (const void *__key, const void *__base, size_t __nmemb, size_t __size,
   __u = __nmemb;
   while (__l < __u)
     {
-      __idx = (__l + __u) / 2;
+      __idx = __l + (__u - __l) / 2;
       __p = (void *) (((const char *) __base) + (__idx * __size));
       __comparison = (*__compar) (__key, __p);
       if (__comparison < 0)