bsdiff: fix off-by-one error

The program reads oldsize bytes from oldfile, and proceeds to initialize
a suffix array of oldsize elements using divsufsort(). As per the
function's API [1], array indices 0 through n-1 are initialized.

Later, search() is called, but with index bounds [0, n]. Depending on
the contents of the malloc'd buffer, accessing this uninitialized index
at the end of can result in a segmentation fault. Fix this by passing
oldsize-1 to search(), limiting the search bounds to [0, n-1].

This bug is a result of r303285, which introduced divsufsort() as an
alternate suffix sorting function to the existing qsufsort(). It seems
that qsufsort() did initialize the final empty element, meaning it could
be safely accessed. This difference in the implementations was missed at
the time.

[1] https://github.com/y-256/libdivsufsort

Discussed with:	cperciva
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D26911

1 files changed, 1 insertions, 1 deletions

diff --git a/usr.bin/bsdiff/bsdiff/bsdiff.c b/usr.bin/bsdiff/bsdiff/bsdiff.c
index 57243fc50ba0..337e7085b3da 100644
--- a/usr.bin/bsdiff/bsdiff/bsdiff.c
+++ b/usr.bin/bsdiff/bsdiff/bsdiff.c
@@ -212,7 +212,7 @@ int main(int argc,char *argv[])
 
 		for(scsc=scan+=len;scan<newsize;scan++) {
 			len=search(I,old,oldsize,new+scan,newsize-scan,
-					0,oldsize,&pos);
+					0,oldsize-1,&pos);
 
 			for(;scsc<scan+len;scsc++)
 			if((scsc+lastoffset<oldsize) &&