From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Mon, 29 Oct 2012 18:33:46 +0000 (+0000)
Subject: Fix a memory access bug in the trie construction. When we attempt to
X-Git-Url: https://git.distorted.org.uk/~mdw/sgt/agedu/commitdiff_plain/aea73b94eceda699dd5208e2a78e39af7d6756d4

Fix a memory access bug in the trie construction. When we attempt to
examine the partially built switch node at a given depth, we must
abort the attempt if that depth is _at least_ tb->switchsize, not just
if it's greater (since, as usual, elements in the array exist up to
but not including tb->switchsize).

This was reported as a segfault by an AIX user recently, but turns out
not to be a platform-specific issue: valgrind confirms that it's wrong
on Linux too, even though it hasn't happened to explode for anyone.


git-svn-id: svn://svn.tartarus.org/sgt/agedu@9693 cda61777-01e9-0310-a592-d414129be87e
---

diff --git a/trie.c b/trie.c
index 4857891..d170458 100644
--- a/trie.c
+++ b/trie.c
@@ -218,7 +218,7 @@ static off_t triebuild_unwind(triebuild *tb, int targetdepth, int *outcount)
     while (depth > targetdepth) {
 	int odepth = depth;
 	while (depth > targetdepth &&
-	       (depth-1 > tb->switchsize || !tb->switches ||
+	       (depth-1 >= tb->switchsize || !tb->switches ||
 		tb->switches[depth-1].len == 0))
 	    depth--;
 	if (odepth > depth) {