From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp51.i.mail.ru (smtp51.i.mail.ru [94.100.177.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 4EEE445C308 for ; Fri, 5 Jun 2020 02:43:33 +0300 (MSK) From: Vladislav Shpilevoy Date: Fri, 5 Jun 2020 01:43:16 +0200 Message-Id: <864075a769f1b09a44950fe93630519eb0fa2899.1591313754.git.v.shpilevoy@tarantool.org> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [Tarantool-patches] [PATCH 09/11] salad: fix UB pointer arithmetics in bps_tree List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: tarantool-patches@dev.tarantool.org, tsafin@tarantool.org, alyapunov@tarantool.org From: Aleksandr Lyapunov There is some pointer arithmetics in bps_tree that calculates intermediate pointers that points out of array bounds. Though they are never dereferenced and only used for further caclulation of correct pointers, it is still UB and must be fixed. Part of #4609 --- src/lib/salad/bps_tree.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/lib/salad/bps_tree.h b/src/lib/salad/bps_tree.h index d28b53f53..ef5ae3d7e 100644 --- a/src/lib/salad/bps_tree.h +++ b/src/lib/salad/bps_tree.h @@ -2654,7 +2654,7 @@ bps_tree_move_elems_to_right_inner(struct bps_tree *tree, if (!move_to_empty) BPS_TREE_DATAMOVE(b->elems + num, b->elems, b->header.size - 1, b, b); - BPS_TREE_DATAMOVE(b->elems, a->elems + a->header.size - num, + BPS_TREE_DATAMOVE(b->elems, a->elems + (a->header.size - num), num - 1, b, a); if (move_to_empty) *b_inner_path_elem->max_elem_copy = @@ -2866,7 +2866,7 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree, mid_part_size - num, a, a); a->child_ids[pos] = block_id; - BPS_TREE_DATAMOVE(b->elems, a->elems + a->header.size - num, + BPS_TREE_DATAMOVE(b->elems, a->elems + (a->header.size - num), num - 1, b, a); if (move_to_empty) *b_inner_path_elem->max_elem_copy = @@ -2888,7 +2888,7 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree, mid_part_size - num, a, a); a->child_ids[pos] = block_id; - BPS_TREE_DATAMOVE(b->elems, a->elems + a->header.size - num, + BPS_TREE_DATAMOVE(b->elems, a->elems + (a->header.size - num), num - 1, b, a); if (move_to_empty) *b_inner_path_elem->max_elem_copy = @@ -2916,8 +2916,8 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree, if (num > 1) { /* +(num - 2) */ BPS_TREE_DATAMOVE(b->elems, - a->elems + a->header.size - - num + 1, num - 2, b, a); + a->elems + (a->header.size + - num + 1), num - 2, b, a); /* +1 */ b->elems[num - 2] = *a_inner_path_elem->max_elem_copy; @@ -2930,7 +2930,7 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree, assert(num > 1); BPS_TREE_DATAMOVE(b->elems, - a->elems + a->header.size - num + 1, + a->elems + (a->header.size - num + 1), num - mid_part_size - 1, b, a); b->elems[new_pos] = max_elem; BPS_TREE_DATAMOVE(b->elems + new_pos + 1, @@ -3142,7 +3142,7 @@ bps_tree_insert_and_move_elems_to_left_inner(struct bps_tree *tree, b->elems[num - 2]; } if (!move_all) - BPS_TREE_DATAMOVE(b->elems, b->elems + num - 1, + BPS_TREE_DATAMOVE(b->elems, b->elems + (num - 1), b->header.size - num, b, b); } -- 2.21.1 (Apple Git-122.3)