I'm rejecting this ticket on the base that it's aged and that it seems to be a misunderstanding of what arguments OBJ_bsearch_ex_ should be called with. Since you aren't calling it directly but have made changes in the rest of the OpenSSL source, maybe you should have a look at those changes first. If it isn't there, it's possible there is a fault in the OpenSSL code that calls OBJ_bsearch_ex_, but I fail to find it. If you do find such faults, please create a new ticket.
Cheers, Richard On Fri Dec 19 17:08:28 2014, matthias.mu...@jojema.de wrote: > No, i commented out the RSA encrypt routines and several other things > that i can't/don't use. This resulted in a smaller array to search, > which led me to this problem. > > I know it's no problem if you use OpenSSL the normal way. I don't call > it from my code. My code only calls methods available in the OpenSSL > API. > > Am 17.12.2014 14:51, schrieb Richard Levitte via RT: > > Are you using OBJ_bsearch_ex_ directly from your code? It seems to > me that you > > have misunderstood how it works. size is the size of one element of > your array, > > num is the number of elements. The actual size of the array (in > bytes) should > > then be size*num, and you need to make sure that it is. > > > > I would, however, recommend that you don't call this function > directly, and > > instead use the macro OBJ_bsearch_ex, which will calculate the > element size > > properly for you, given a type that you give it. > > > > On Fri Dec 12 17:52:07 2014, matthias.mu...@jojema.de wrote: > >> Hello, > >> > >> I strapped down OpenSSL 1.0.1j to only the PEM to RSA, BIO and RSA > >> public > >> decrypt functions. So a bug in the binary search in appeared: > >> > >> Current code: > >> > >> const void *OBJ_bsearch_ex_(const void *key, const void *base_, int > >> num, > >> int size, > >> int (*cmp)(const void *, const void *), > >> int flags) > >> { > >> const char *base=base_; > >> int l,h,i=0,c=0; > >> const char *p = NULL; > >> > >> if (num == 0) return(NULL); > >> l=0; > >> h=num; > >> while (l < h) > >> { > >> i=(l+h)/2; > >> p= &(base[i*size]); > >> c=(*cmp)(key,p); > >> if (c < 0) > >> h=i; > >> else if (c > 0) > >> l=i+1; > >> else > >> break; > >> } > >> > >> > >> [...] > >> > >> My case: size = 4 > >> num = 4 > >> > >> In the first round i evaluates to 2 which can not be divided by > size > >> and lets p > >> escape the frame for the pointers, which results in a segfault. > >> > >> General case: > >> > >> This will fail for every case where num < (size * 2) > >> > >> > >> My fix: > >> > >> const void *OBJ_bsearch_ex_(const void *key, const void *base_, int > >> num, > >> int size, > >> int (*cmp)(const void *, const void *), > >> int flags) > >> { > >> const char *base=base_; > >> int l,h,i=0,c=0; > >> const char *p = NULL; > >> > >> if (num == 0) return(NULL); > >> if (num < size*2) { > >> while(i<num) > >> { > >> p=&(base[i*size]); > >> c=(*cmp)(key,p); > >> if (!c) break; > >> else ++i; > >> } > >> } > >> else { > >> l=0; > >> h=num; > >> while (l < h) > >> { > >> i=(l+h)/2; > >> p= &(base[i*size]); > >> c=(*cmp)(key,p); > >> if (c < 0) > >> h=i; > >> else if (c > 0) > >> l=i+1; > >> else > >> break; > >> } > >> } > >> > >> [...] > >> > >> Regards > >> > >> Matthias Mucha > >> > > > > -- > > Richard Levitte > > levi...@openssl.org > > > -- Richard Levitte levi...@openssl.org _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev