Potential integer overflow and memory corruption in smartlist_heapify
The LEFT_CHILD/RIGHT_CHILD macros used in container.c::smartlist_heapify() can overflow.
This can potentially result in using a negative array index in the smartlist memory block and writing to some out of bounds memory location.
This is probably not currently exploitable, given the limited usage of smartlist_heapify. The places where it is used look hard to control for an attacker and the amount of memory required would likely be too much for Tor to be able to allocate.
Tor should be built with ftrapv. Ticket 17983 looks like a bad idea.