Don't use any asserts(), even raw, in format_number_sigsafe().

author Nick Mathewson <nickm@torproject.org>

Wed, 20 Jun 2018 20:11:09 +0000 (16:11 -0400)

committer Nick Mathewson <nickm@torproject.org>

Wed, 20 Jun 2018 20:16:45 +0000 (16:16 -0400)
author Nick Mathewson <nickm@torproject.org>
Wed, 20 Jun 2018 20:11:09 +0000 (16:11 -0400)
committer Nick Mathewson <nickm@torproject.org>
Wed, 20 Jun 2018 20:16:45 +0000 (16:16 -0400)
diff --git a/src/common/torerr.c b/src/common/torerr.c

index 5dbdc629ad476d27204f0d1be7b2ca05c85fe697..0e0c4db3559b587102586cd1111fc72e3e62fc11 100644 (file)
--- a/src/common/torerr.c
+++ b/src/common/torerr.c
@@ -155,8 +155,9 @@ format_number_sigsafe(unsigned long x, char *buf, int buf_len,
    int len;
    char *cp;
  
-  /* NOT tor_assert. This needs to be safe to run from within a signal handler,
-   * and from within the 'tor_assert() has failed' code. */
+  /* NOT tor_assert. This needs to be safe to run from within a signal
+   * handler, and from within the 'tor_assert() has failed' code.  Not even
+   * raw_assert(), since raw_assert() calls this function on failure. */
    if (radix < 2 || radix > 16)
      return 0;
  
@@ -176,7 +177,10 @@ format_number_sigsafe(unsigned long x, char *buf, int buf_len,
    *cp = '\0';
    do {
      unsigned digit = (unsigned) (x % radix);
-    raw_assert(cp > buf);
+    if (cp <= buf) {
+      /* Not tor_assert(); see above. */
+      abort();
+    }
      --cp;
      *cp = "0123456789ABCDEF"[digit];
      x /= radix;
author	Nick Mathewson <nickm@torproject.org>
	Wed, 20 Jun 2018 20:11:09 +0000 (16:11 -0400)
committer	Nick Mathewson <nickm@torproject.org>
	Wed, 20 Jun 2018 20:16:45 +0000 (16:16 -0400)