You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@thrift.apache.org by dr...@apache.org on 2010/03/09 06:20:12 UTC

svn commit: r920684 - /incubator/thrift/trunk/lib/cpp/src/transport/TBufferTransports.cpp

Author: dreiss
Date: Tue Mar  9 05:20:12 2010
New Revision: 920684

URL: http://svn.apache.org/viewvc?rev=920684&view=rev
Log:
cpp: Fix memory corruption bug in TBufferedTransport::borrowSlow()

On one code path, the code would read data past the end of its buffer.

Modified:
    incubator/thrift/trunk/lib/cpp/src/transport/TBufferTransports.cpp

Modified: incubator/thrift/trunk/lib/cpp/src/transport/TBufferTransports.cpp
URL: http://svn.apache.org/viewvc/incubator/thrift/trunk/lib/cpp/src/transport/TBufferTransports.cpp?rev=920684&r1=920683&r2=920684&view=diff
==============================================================================
--- incubator/thrift/trunk/lib/cpp/src/transport/TBufferTransports.cpp (original)
+++ incubator/thrift/trunk/lib/cpp/src/transport/TBufferTransports.cpp Tue Mar  9 05:20:12 2010
@@ -128,10 +128,11 @@ const uint8_t* TBufferedTransport::borro
   if ((offset > rBufSize_/2) || (offset + need > rBufSize_)) {
     memmove(rBuf_.get(), rBase_, have);
     setReadBuffer(rBuf_.get(), have);
+    offset = have;
   }
 
   // First try to fill up the buffer.
-  uint32_t got = transport_->read(rBound_, rBufSize_ - have);
+  uint32_t got = transport_->read(rBound_, rBufSize_ - offset);
   rBound_ += got;
   need -= got;