View Bug Activity | Format For Printing
In the code for bsearch, if l and u are both very, very large, this line in libc/stdlib/bsearch.c calculates the midpoint incorrectly due to an integer overflow: idx = (l + u) / 2;
You do not even understand how binary searching works, do you? The sum can never exceed nmemb and nmemb obviously fits into an size_t.
I mean a valid nmemb size. It can never be too large. If you pass in garbage, you get out garbage. There is nothing wrong with that.
The point is, the sum l + u obviously can exceed nmemb, because if the searched-for value is at the end, on the first iteration l is increased and u stays equal to nmemb. At this point in the execution, _prior_ to dividing by 2, integer overflow can occur.
No, l + u cannot overflow since a) arrays of 1 byte values don't make any sense (same for 2 bytes and probably 3 bytes) and b) for every record size >= 2 we don't overflow. I'm not adding useless changes for bogus code.