[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify

Subject: Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 18 Feb 2016 10:45:39 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 18 Feb 2016 05:46:02 -0500
In-reply-to: <051.44cef5ca8077d50b41cca2b13a5bdb40@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.44cef5ca8077d50b41cca2b13a5bdb40@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#18296: Potential integer overflow and memory corruption in smartlist_heapify
-------------------------+------------------------------------
 Reporter:  cypherpunks  |          Owner:  nickm
     Type:  defect       |         Status:  needs_review
 Priority:  Medium       |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor          |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+------------------------------------

Comment (by teor):

 Replying to [comment:11 nickm]:
 > Have another look at the algorithm?  It starts with an idx that possibly
 violates the heap property by being larger than one or both of its
 children.  If it does, it swaps a child into the current idx, and then
 looks to see whether the heap property is now violated at the child's old
 position.  If HAS_CHILDREN(idx) is false, it is impossible for idx to have
 a pair of children -- though hm, when I wake up I should see whether it
 can have only a single child.

 If HAS_CHILDREN is false, idx can;t have any children.

 > Note also that idx is monotonically increasing here, and it
 approximately doubles each time through the loop.  So at worse we're doing
 a small number of iterations.

 That makes more sense.

 Should we tor_assert() rather than returning?
 I can't understand how returning yields a valid heap.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18296#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #18170 [Tor Browser]: After an update to Tor Browser 5.5 only changelog tab is shown
Next by Author: [tor-bugs] #18336 [- Select a component]: TestoStaxx is the perfect supplement top help aid in your building regime.
Previous by thread: Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
Next by thread: Re: [tor-bugs] #18296 [Tor]: Potential integer overflow and memory corruption in smartlist_heapify
Index(es):
- Author
- Thread