[tor-bugs] #19130 [Core Tor/Tor]: Seg fault in round_int64_to_next_multiple_of()

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 19 19:43:27 UTC 2016


#19130: Seg fault in round_int64_to_next_multiple_of()
--------------------------+---------------------
 Reporter:  arma          |          Owner:
     Type:  defect        |         Status:  new
 Priority:  Medium        |      Milestone:
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+---------------------

Comment (by teor):

 Replying to [comment:1 asn]:
 > Yawning suggests this is a signed int overflow that leads to an abort
 because of ftrapv (#17983).
 >
 > The overflow happens at:
 > {{{
 >   if (INT64_MAX - divisor + 1 < number)
 >     return INT64_MAX;
 > }}}
 > whose left side probably gets applied as `INT64_MAX + 1 - divisor`.

 Optimising compilers FTW.

 >
 > A potential fix here would be to reorder that if statement to:
 > {{{
 >   if (INT64_MAX - number < divisor - 1)
 >     return INT64_MAX;
 > }}}

 That will overflow if number is negative, and I'm pretty sure it's the
 wrong comparison.
 Did you mean:

 {{{
   if (INT64_MAX - divisor < number - 1)
     return INT64_MAX;
 }}}

 > maybe with an additional check that `divisor >= 1`.

 The function already does the equivalent: `tor_assert(divisor > 0);`

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19130#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list