apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Striker" <stri...@apache.org>
Subject Possible segfault in apr_pvsprintf
Date Thu, 23 Aug 2001 14:00:24 GMT
Hi,

In addition to the possible segfault in apr_palloc
when no abort function is set and we're out of mem,
there is another possible segfault in apr_pvsprintf.
This one is even worse, because there is no abort
function.

Excerpt from apr_pools.c:psprintf_flush():

    /* must try another blok */
#if APR_HAS_THREADS
    apr_lock_acquire(alloc_mutex);
#endif
    nblok = new_block(2 * cur_len, NULL);
#if APR_HAS_THREADS
    apr_lock_release(alloc_mutex);
#endif
    memcpy(nblok->h.first_avail, blok->h.first_avail, cur_len);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ps->vbuff.curpos = nblok->h.first_avail + cur_len;
    /* save a byte for the NUL terminator */
    ps->vbuff.endpos = nblok->h.endp - 1;

The code will segfault when out of mem occurs within psprintf_flush
at the moment at the marked line.

Sander


Mime
View raw message