Add out-of-bounds check in binsearch()

Signed-off-by: DL6ER <[email protected]>
pi-hole · Nov 17, 2024 · b4bfdcf · b4bfdcf
1 parent b4f194b
commit b4bfdcf
Showing 1 changed file with 33 additions and 1 deletion.
diff --git a/src/lookup-table.c b/src/lookup-table.c
@@ -81,6 +81,11 @@ static bool binsearch(struct lookup_table *base, const uint32_t hash,
 	// Initialize the base pointer to the start of the array
 	*try = base;
 
+	// Initialize the begin and end pointers to the start and end of the
+	// array
+	const struct lookup_table *begin = base;
+	const struct lookup_table *end = base + size;
+
 	// Run while there are elements left to be searched in the base array
 	while(size > 0)
 	{
@@ -91,6 +96,14 @@ static bool binsearch(struct lookup_table *base, const uint32_t hash,
 		*try = base + mid;
 
 		// Compare the key with the current element
+		if(*try > end)
+		{
+			// If the pointer is out of bounds, break the loop
+			// as the key is not in the array
+			log_err("Pointer out of bounds in binsearch(): %p - %p but tried to access at %p, size is %zu, mid is %zu, base is %p",
+			        begin, end, *try, size, mid, base);
+			break;
+		}
 		const int sign = cmp_hash(hash, (*try)->hash);
 
 		if(sign == 0)
@@ -107,7 +120,11 @@ static bool binsearch(struct lookup_table *base, const uint32_t hash,
 
 			// If the key is greater than the middle element, the
 			// key would be inserted after the middle element
-			if(sign > 0)
+			// => move the try pointer to the next element
+			// However, only do this if it does not point to the end
+			// of the array as we would otherwise access memory out
+			// of bounds
+			if(sign > 0 && *try < end)
 				(*try)++;
 
 			// Break the loop, we have not found the key but
@@ -214,6 +231,11 @@ bool lookup_insert(const enum memory_type type, const unsigned int id, const uin
 
 	// Calculate the position where the element would be inserted
 	const size_t pos = try - table;
+	if(pos > *size)
+	{
+		log_err("Invalid insertion position %zu/%u in %s lookup table", pos, *size, name);
+		return false;
+	}
 
 	// Move all elements from the insertion point to the end of the array
 	// one position to the right to make space for the new element
@@ -268,6 +290,11 @@ bool lookup_remove(const enum memory_type type, const unsigned int id, const uin
 
 	// Calculate the position where the element is located
 	size_t pos = try - table;
+	if(pos >= *size)
+	{
+		log_err("Invalid removal position %zu/%u in %s lookup table", pos, *size, name);
+		return false;
+	}
 
 	// If binsearch finds the element, it returns the address *one*
 	// of the elements matching the hash value. We need to find the
@@ -345,6 +372,11 @@ bool lookup_find_id(const enum memory_type type, const uint32_t hash, const stru
 
 	// Calculate the position where the element is located
 	size_t pos = try - table;
+	if(pos >= *size)
+	{
+		log_err("Invalid search position %zu/%u in %s lookup table", pos, *size, name);
+		return false;
+	}
 
 	// If binsearch finds the element, it returns the address *one*
 	// of the elements matching the hash value. We need to find the