commit 14c611cf9158c0e6dd64b4ce746cc4807f76e0e6
author David Benjamin <davidben@google.com> Mon Jan 21 20:33:09 2019 +0000
committer Adam Langley <agl@google.com> Tue Jan 22 23:28:38 2019 +0000
tree ad8ffc219a7fb806ea4a2b3b21f0c282073606f7
parent 9847cdd785abae6313412fc5a824b938bef6ba98

Don't pass NULL,0 to qsort.

qsort shares the same C language bug as mem*. Two of our calls may see
zero-length lists. This trips UBSan.

Change-Id: Id292dd277129881001eb57b1b2db78438cf4642e
Reviewed-on: https://boringssl-review.googlesource.com/c/34447
Reviewed-by: Adam Langley <agl@google.com>

crypto/stack/stack.c

diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c
index 93b9d1b..ec557c0 100644
--- a/crypto/stack/stack.c
+++ b/crypto/stack/stack.c
@@ -358,8 +358,6 @@
 }
 
 void sk_sort(_STACK *sk) {
-  int (*comp_func)(const void *,const void *);
-
   if (sk == NULL || sk->comp == NULL || sk->sorted) {
     return;
   }
@@ -370,8 +368,11 @@
   // e.g., CFI does not notice. Unfortunately, |qsort| is missing a void*
   // parameter in its callback and |qsort_s| / |qsort_r| are a mess of
   // incompatibility.
-  comp_func = (int (*)(const void *, const void *))(sk->comp);
-  qsort(sk->data, sk->num, sizeof(void *), comp_func);
+  if (sk->num >= 2) {
+    int (*comp_func)(const void *, const void *) =
+        (int (*)(const void *, const void *))(sk->comp);
+    qsort(sk->data, sk->num, sizeof(void *), comp_func);
+  }
   sk->sorted = 1;
 }
 

ssl/ssl_privkey.cc

diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index 16888b9..d45670a 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -553,6 +553,10 @@
 }
 
 static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
+  if (in_sigalgs.size() < 2) {
+    return true;
+  }
+
   Array<uint16_t> sigalgs;
   if (!sigalgs.CopyFrom(in_sigalgs)) {
     return false;