[tor-bugs] #19130 [Core Tor/Tor]: Seg fault in round_int64_to_next_multiple_of()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu May 19 19:43:27 UTC 2016
#19130: Seg fault in round_int64_to_next_multiple_of()
--------------------------+---------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+---------------------
Comment (by teor):
Replying to [comment:1 asn]:
> Yawning suggests this is a signed int overflow that leads to an abort
because of ftrapv (#17983).
>
> The overflow happens at:
> {{{
> if (INT64_MAX - divisor + 1 < number)
> return INT64_MAX;
> }}}
> whose left side probably gets applied as `INT64_MAX + 1 - divisor`.
Optimising compilers FTW.
>
> A potential fix here would be to reorder that if statement to:
> {{{
> if (INT64_MAX - number < divisor - 1)
> return INT64_MAX;
> }}}
That will overflow if number is negative, and I'm pretty sure it's the
wrong comparison.
Did you mean:
{{{
if (INT64_MAX - divisor < number - 1)
return INT64_MAX;
}}}
> maybe with an additional check that `divisor >= 1`.
The function already does the equivalent: `tor_assert(divisor > 0);`
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19130#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list