From 1cbe8781642e0dc961838b87793ffb145f70719a Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Sun, 9 Mar 2025 23:00:42 -0400 Subject: [PATCH] libdtrace: Fix an off-by-one in the priority queue implementation The zero'th index in the array is unused, so a priority queue of N elements needs N+1 array slots. Fix the allocation. Also fix the assertion in dt_pq_insert(): the assertion needs to be checked after incrementing the count of items in the priority queue, otherwise it can miss an overflow. Reported by: CHERI MFC after: 2 weeks Sponsored by: Innovate UK Differential Revision: https://reviews.freebsd.org/D49242 (cherry picked from commit 7ee1bdd094d376fdc547e8ca33e472f1d37a7d79) --- cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c index 0cd556abd8f..ffbac8b6ea1 100644 --- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c +++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_pq.c @@ -37,7 +37,7 @@ dt_pq_init(dtrace_hdl_t *dtp, uint_t size, dt_pq_value_f value_cb, void *cb_arg) if ((p = dt_zalloc(dtp, sizeof (dt_pq_t))) == NULL) return (NULL); - p->dtpq_items = dt_zalloc(dtp, size * sizeof (p->dtpq_items[0])); + p->dtpq_items = dt_zalloc(dtp, (size + 1) * sizeof (p->dtpq_items[0])); if (p->dtpq_items == NULL) { dt_free(dtp, p); return (NULL); @@ -73,9 +73,9 @@ dt_pq_insert(dt_pq_t *p, void *item) { uint_t i; - assert(p->dtpq_last < p->dtpq_size); - i = p->dtpq_last++; + assert(i <= p->dtpq_size); + p->dtpq_items[i] = item; while (i > 1 && dt_pq_getvalue(p, i) < dt_pq_getvalue(p, i / 2)) {