Opened 5 years ago
#13127 new Bugs
out of bound memory access in integer_sort
| Reported by: | Owned by: | Paul A. Bristow | |
|---|---|---|---|
| Milestone: | To Be Determined | Component: | sort |
| Version: | Boost 1.64.0 | Severity: | Problem |
| Keywords: | Cc: |
Description
I called integer_sort() to sort a data array, found a oob access, and crashed.
check the code, found it occurs in inner_swap_loop. the code is like the following:
target_bin = bins + (rshift(*current, log_divisor) - div_min)
but in the previous code, function spreadsort_rec(). the bin count is calculated by the code with a cast (unsigned):
unsigned bin_count = unsigned(div_max - div_min) + 1;
and the next place in spreadsort_rec()
for (RandomAccessIter current = first; current != last;)
bin_sizes[unsigned(rshift(*(current++), log_divisor) - div_min)]++;
so that, I thought there is a missing cast (unsigned) in inner_swap_loop().
Note:
See TracTickets
for help on using tickets.
