You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@subversion.apache.org by br...@apache.org on 2014/02/18 17:30:19 UTC

svn commit: r1569415 - /subversion/trunk/subversion/libsvn_delta/compose_delta.c

Author: brane
Date: Tue Feb 18 16:30:18 2014
New Revision: 1569415

URL: http://svn.apache.org/r1569415
Log:
Fix an out-of-bounds read in the delta combiner.

* subversion/libsvn_delta/compose_delta.c (copy_source_ops):
   When initializing fix_limit, do not read past the end of the offsets array.

Modified:
    subversion/trunk/subversion/libsvn_delta/compose_delta.c

Modified: subversion/trunk/subversion/libsvn_delta/compose_delta.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_delta/compose_delta.c?rev=1569415&r1=1569414&r2=1569415&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_delta/compose_delta.c (original)
+++ subversion/trunk/subversion/libsvn_delta/compose_delta.c Tue Feb 18 16:30:18 2014
@@ -649,7 +649,8 @@ copy_source_ops(apr_size_t offset, apr_s
       const svn_txdelta_op_t *const op = &window->ops[op_ndx];
       const apr_size_t *const off = &ndx->offs[op_ndx];
       const apr_size_t fix_offset = (offset > off[0] ? offset - off[0] : 0);
-      const apr_size_t fix_limit = (off[1] > limit ? off[1] - limit : 0);
+      const apr_size_t fix_limit = (off[0] >= limit ? 0
+                                    : (off[1] > limit ? off[1] - limit : 0));
 
       /* Ideally, we'd do this check before assigning fix_offset and
          fix_limit; but then we couldn't make them const whilst still