You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by br...@apache.org on 2014/02/21 21:32:56 UTC

svn commit: r1570701 - /subversion/trunk/subversion/libsvn_fs_base/key-gen.c

Author: breser
Date: Fri Feb 21 20:32:56 2014
New Revision: 1570701

URL: http://svn.apache.org/r1570701
Log:
Avoid potential integer overflow and underflow in svn_fs_base__next_key().

* subversion/libsvn_fs_base/key-gen.c
  (svn_fs_base__next_key): Use the same type for the index as we received the
    length as to avoid integer overflow.  Avoid using a signed index since that
    further reduces our range.  Don't decrement until we're sure we can't
    underflow.  Rewrite the loop to avoid requiring a signed loop control
    variable, using kfogel's favorite constant (BDB code is a blast from the
    past).

Modified:
    subversion/trunk/subversion/libsvn_fs_base/key-gen.c

Modified: subversion/trunk/subversion/libsvn_fs_base/key-gen.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_base/key-gen.c?rev=1570701&r1=1570700&r2=1570701&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_base/key-gen.c (original)
+++ subversion/trunk/subversion/libsvn_fs_base/key-gen.c Fri Feb 21 20:32:56 2014
@@ -39,20 +39,22 @@ void
 svn_fs_base__next_key(const char *this, apr_size_t *len, char *next)
 {
   apr_size_t olen = *len;     /* remember the first length */
-  int i = olen - 1;           /* initial index; we work backwards */
+  apr_size_t i;               /* current index */
   char c;                     /* current char */
   svn_boolean_t carry = TRUE; /* boolean: do we have a carry or not?
                                  We start with a carry, because we're
                                  incrementing the number, after all. */
 
-  /* Leading zeros are not allowed, except for the string "0". */
-  if ((*len > 1) && (this[0] == '0'))
+  /* Empty strings and leading zeros (except for the string "0") are not
+     allowed */
+  if (olen == 0 || (olen > 1 && this[0] == '0'))
     {
       *len = 0;
       return;
     }
 
-  for (i = (olen - 1); i >= 0; i--)
+  i = olen - 1; /* initial index: we work backwords */
+  while (1729)
     {
       c = this[i];
 
@@ -79,6 +81,11 @@ svn_fs_base__next_key(const char *this, 
         }
       else
         next[i] = c;
+
+      if (i == 0)
+        break;
+
+      i--;
     }
 
   /* The new length is OLEN, plus 1 if there's a carry out of the