httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject memory management goof in alloc.c (fwd)
Date Wed, 26 Feb 1997 15:58:26 GMT


Hi,

Thanks for the info an patch. We'll take a look and see what can be
done for the next beta.

cheers,
rob.

_______________________________________________________________________
Date: Wed, 26 Feb 97 15:17 EET
From: Kai Risku <krisku@tf.hut.fi>
To: apache-bugs@apache.org
Subject: memory management goof in alloc.c

Greetings!

I have found a rather serious memory management problem regarding the
handling of 'arrays' in the file alloc.c. I found the problem when
trying to debug my enhanced dir-module. I found the problem on Apache
1.1.1, but the same problem is still there in Apache 1.2b7.

The bug manifests itself when using the function 'append_arrays' and
the first array has nelts==0. The function 'append_arrays' first uses
the function 'copy_array_hdr' to make a copy of the first array
header, and this sets nalloc=nelts on the copy to force an overflow on
the next push. Unfortunately the function 'push_array' misbehaves
badly for an array with nalloc equal to zero, resulting in corruption
of memory.

Included below is a patch that makes 'push_array' aware of how to add
an element to an array with nalloc==0. This closely mimics the
behaviour of 'array_cat' which seems to correctly handle the case
where the destination's nalloc is zero.


========================= Cut here ==========================
*** alloc.c.orig	Wed Feb 26 14:50:03 1997
--- alloc.c	Wed Feb 26 14:52:26 1997
***************
*** 458,468 ****
  void *push_array (array_header *arr)
  {
    if (arr->nelts == arr->nalloc) {
!     char *new_data = pcalloc (arr->pool, arr->nalloc * arr->elt_size * 2);
  
      memcpy (new_data, arr->elts, arr->nalloc * arr->elt_size);
      arr->elts = new_data;
!     arr->nalloc *= 2;
    }
  
    ++arr->nelts;
--- 458,473 ----
  void *push_array (array_header *arr)
  {
    if (arr->nelts == arr->nalloc) {
!     int new_size = arr->nalloc * 2;
!     char *new_data;
!     
!     if (new_size == 0) ++new_size;
! 
!     new_data = pcalloc (arr->pool, arr->elt_size * new_size);
  
      memcpy (new_data, arr->elts, arr->nalloc * arr->elt_size);
      arr->elts = new_data;
!     arr->nalloc = new_size;
    }
  
    ++arr->nelts;
========================= Cut here ==========================


-- 
Kai.Risku@hut.fi        / Our major obligation is not to
Voice: +358-(0)9-523541 / mistake slogans for solutions.
Helsinki Univ. of Tech. /         - Edward R. Murrow



Mime
View raw message