Author: rpluem
Date: Wed Feb 27 03:31:42 2008
New Revision: 631559
URL: http://svn.apache.org/viewvc?rev=631559&view=rev
Log:
Merge r630780, r631110, r631553 from trunk:
* apr_brigade_partition:
Use a 64 bit unsigned int for all calculations of point to avoid overflows
on systems where apr_off_t > apr_size_t (e.g. 32 bit with LFS)
while still doing the correct thing on other systems where
apr_off_t = apr_size_t. We currently do not support platforms
where apr_off_t, apr_size_t > 64 bit.
* Add CHANGES entry for r630780.
* We are working with point64 here, no longer with point.
Submitted by: rpluem
Reviewed by: rpluem
Modified:
apr/aprutil/branches/1.2.x/CHANGES
apr/aprutil/branches/1.2.x/buckets/apr_brigade.c
Modified: apr/aprutil/branches/1.2.x/CHANGES
URL: http://svn.apache.org/viewvc/apr/aprutil/branches/1.2.x/CHANGES?rev=631559&r1=631558&r2=631559&view=diff
==============================================================================
 apr/aprutil/branches/1.2.x/CHANGES [utf8] (original)
+++ apr/aprutil/branches/1.2.x/CHANGES [utf8] Wed Feb 27 03:31:42 2008
@@ 2,6 +2,9 @@
Changes with APRutil 1.2.13
+ *) Fix a regression in apr_brigade_partition that causes integer overflows
+ on systems where apr_off_t > apr_size_t. [Ruediger Pluem]
+
*) Ensure that apr_uri_unparse does not add scheme to URI if
APR_URI_UNP_OMITSITEPART flag is set. PR 44044.
[Michael Clark <michael metaparadigm.com>]
Modified: apr/aprutil/branches/1.2.x/buckets/apr_brigade.c
URL: http://svn.apache.org/viewvc/apr/aprutil/branches/1.2.x/buckets/apr_brigade.c?rev=631559&r1=631558&r2=631559&view=diff
==============================================================================
 apr/aprutil/branches/1.2.x/buckets/apr_brigade.c (original)
+++ apr/aprutil/branches/1.2.x/buckets/apr_brigade.c Wed Feb 27 03:31:42 2008
@@ 103,6 +103,7 @@
apr_bucket *e;
const char *s;
apr_size_t len;
+ apr_uint64_t point64;
apr_status_t rv;
if (point < 0) {
@@ 114,17 +115,25 @@
return APR_SUCCESS;
}
+ /*
+ * Try to reduce the following casting mess: We know that point will be
+ * larger equal 0 now and forever and thus that point (apr_off_t) and
+ * apr_size_t will fit into apr_uint64_t in any case.
+ */
+ point64 = (apr_uint64_t)point;
+
APR_BRIGADE_CHECK_CONSISTENCY(b);
for (e = APR_BRIGADE_FIRST(b);
e != APR_BRIGADE_SENTINEL(b);
e = APR_BUCKET_NEXT(e))
{
 /* For an unknown length bucket, while 'point' is beyond the possible
+ /* For an unknown length bucket, while 'point64' is beyond the possible
* size contained in apr_size_t, read and continue...
*/
 if ((e>length == (apr_size_t)(1)) && (point > MAX_APR_SIZE_T)) {
 /* point is too far out to simply split this bucket,
+ if ((e>length == (apr_size_t)(1))
+ && (point64 > (apr_uint64_t)MAX_APR_SIZE_T)) {
+ /* point64 is too far out to simply split this bucket,
* we must fix this bucket's size and keep going... */
rv = apr_bucket_read(e, &s, &len, APR_BLOCK_READ);
if (rv != APR_SUCCESS) {
@@ 132,14 +141,15 @@
return rv;
}
}
 else if (((apr_size_t)point < e>length)  (e>length == (apr_size_t)(1)))
{
 /* We already consumed buckets where point is beyond
 * our interest ( point > MAX_APR_SIZE_T ), above.
 * Here point falls between 0 and MAX_APR_SIZE_T
+ else if ((point64 < (apr_uint64_t)e>length)
+  (e>length == (apr_size_t)(1))) {
+ /* We already consumed buckets where point64 is beyond
+ * our interest ( point64 > MAX_APR_SIZE_T ), above.
+ * Here point falls between 0 and MAX_APR_SIZE_T
* and is within this bucket, or this bucket's len
* is undefined, so now we are ready to split it.
* First try to split the bucket natively... */
 if ((rv = apr_bucket_split(e, (apr_size_t)point))
+ if ((rv = apr_bucket_split(e, (apr_size_t)point64))
!= APR_ENOTIMPL) {
*after_point = APR_BUCKET_NEXT(e);
return rv;
@@ 156,17 +166,17 @@
/* this assumes that len == e>length, which is okay because e
* might have been morphed by the apr_bucket_read() above, but
* if it was, the length would have been adjusted appropriately */
 if ((apr_size_t)point < e>length) {
 rv = apr_bucket_split(e, (apr_size_t)point);
+ if (point64 < (apr_uint64_t)e>length) {
+ rv = apr_bucket_split(e, (apr_size_t)point64);
*after_point = APR_BUCKET_NEXT(e);
return rv;
}
}
 if (point == e>length) {
+ if (point64 == (apr_uint64_t)e>length) {
*after_point = APR_BUCKET_NEXT(e);
return APR_SUCCESS;
}
 point = e>length;
+ point64 = (apr_uint64_t)e>length;
}
*after_point = APR_BRIGADE_SENTINEL(b);
return APR_INCOMPLETE;
