subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From phi...@apache.org
Subject svn commit: r1587968 - /subversion/trunk/subversion/libsvn_delta/svndiff.c
Date Wed, 16 Apr 2014 16:39:29 GMT
Author: philip
Date: Wed Apr 16 16:39:29 2014
New Revision: 1587968

URL: http://svn.apache.org/r1587968
Log:
Fix a case of reading beyond allocated memory with SVN0, i.e. pre-1.4,
FSFS repositories.  This was identified by running svnadmin_tests.py 14
over ra_svn with svnserve running under valgrind.

* subversion/libsvn_delta/svndiff.c
  (decode_window): Allocate, copy and add terminating null for SVN0, remove
   incorrect comment for SVN1.

Modified:
    subversion/trunk/subversion/libsvn_delta/svndiff.c

Modified: subversion/trunk/subversion/libsvn_delta/svndiff.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_delta/svndiff.c?rev=1587968&r1=1587967&r2=1587968&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_delta/svndiff.c (original)
+++ subversion/trunk/subversion/libsvn_delta/svndiff.c Wed Apr 16 16:39:29 2014
@@ -526,8 +526,6 @@ decode_window(svn_txdelta_window_t *wind
       svn_stringbuf_t *instout = svn_stringbuf_create_empty(pool);
       svn_stringbuf_t *ndout = svn_stringbuf_create_empty(pool);
 
-      /* these may in fact simply return references to insend */
-
       SVN_ERR(zlib_decode(insend, newlen, ndout,
                           SVN_DELTA_WINDOW_SIZE));
       SVN_ERR(zlib_decode(data, insend - data, instout,
@@ -542,7 +540,13 @@ decode_window(svn_txdelta_window_t *wind
     }
   else
     {
-      new_data->data = (const char *) insend;
+      /* Copy the data because an svn_string_t must have the invariant
+         data[len]=='\0'. */
+      char *buf = apr_palloc(pool, newlen + 1);
+
+      memcpy(buf, insend, newlen);
+      buf[newlen] = '\0';
+      new_data->data = buf;
       new_data->len = newlen;
     }
 



Mime
View raw message