You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@serf.apache.org by iv...@apache.org on 2017/09/13 08:45:26 UTC

svn commit: r1808213 - in /serf/branches/1.3.x: ./ STATUS buckets/deflate_buckets.c test/test_buckets.c

Author: ivan
Date: Wed Sep 13 08:45:26 2017
New Revision: 1808213

URL: http://svn.apache.org/viewvc?rev=1808213&view=rev
Log:
Merge:
 * r1805301
   Fix an endless loop in the deflate bucket with the truncated input.
   Justification:
     Bug in the gzip/deflate decoder.
   Branch:
     ^/serf/branches/1.3.x-r1805301
   Votes:
     +1: kotkov, ivan, rhuijben

Modified:
    serf/branches/1.3.x/   (props changed)
    serf/branches/1.3.x/STATUS
    serf/branches/1.3.x/buckets/deflate_buckets.c
    serf/branches/1.3.x/test/test_buckets.c

Propchange: serf/branches/1.3.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Sep 13 08:45:26 2017
@@ -1,5 +1,6 @@
 /serf/branches/1.3.x-fix-outgoing-request-err:1804540-1808208
 /serf/branches/1.3.x-r1804008-group:1805337-1808209
+/serf/branches/1.3.x-r1805301:1805336-1808212
 /serf/branches/multiple_ssl_impls:1699382
 /serf/branches/windows-sspi:1698866-1698877
-/serf/trunk:1699516-1699518,1699520-1699522,1699528,1699530-1699535,1699537,1699539-1699543,1699548-1699549,1699553,1699555-1699556,1699559-1699560,1699563-1699565,1699567-1699570,1699572-1699573,1699578-1699580,1699582-1699597,1699599-1699602,1699607,1699610,1699613,1699615-1699618,1699622-1699623,1699626-1699627,1699633,1699637,1699642,1699645,1699647,1699649-1699650,1699652,1699654-1699655,1699659-1699665,1699671,1699674,1699680-1699683,1699687-1699688,1699690,1699692-1699694,1699698-1699700,1699702,1699707-1699708,1699712-1699716,1699720,1699724,1699728,1699730,1699733,1699762,1699770,1699773,1699777,1699780-1699781,1699791,1699798,1699800-1699801,1699817,1699819,1699838,1699843,1699846,1699850,1699852,1699858-1699859,1699861,1699873,1699881,1699884,1699902-1699903,1699906,1699924,1699926-1699927,1699930,1699932,1699936-1699937,1699941,1699944,1699948-1699950,1699954,1699957,1699964,1699973,1699975,1699985-1699987,1699993-1699994,1700031,1700062,1700128,1700149,1700234,1700236,1
 700246,1700270,1700650,1700830,1702096,1702221,1702264,1703624,1704725,1708849,1709155-1709156,1709296,1748673,1757829,1758190,1758193,1804005,1804008,1804016,1804534
+/serf/trunk:1699516-1699518,1699520-1699522,1699528,1699530-1699535,1699537,1699539-1699543,1699548-1699549,1699553,1699555-1699556,1699559-1699560,1699563-1699565,1699567-1699570,1699572-1699573,1699578-1699580,1699582-1699597,1699599-1699602,1699607,1699610,1699613,1699615-1699618,1699622-1699623,1699626-1699627,1699633,1699637,1699642,1699645,1699647,1699649-1699650,1699652,1699654-1699655,1699659-1699665,1699671,1699674,1699680-1699683,1699687-1699688,1699690,1699692-1699694,1699698-1699700,1699702,1699707-1699708,1699712-1699716,1699720,1699724,1699728,1699730,1699733,1699762,1699770,1699773,1699777,1699780-1699781,1699791,1699798,1699800-1699801,1699817,1699819,1699838,1699843,1699846,1699850,1699852,1699858-1699859,1699861,1699873,1699881,1699884,1699902-1699903,1699906,1699924,1699926-1699927,1699930,1699932,1699936-1699937,1699941,1699944,1699948-1699950,1699954,1699957,1699964,1699973,1699975,1699985-1699987,1699993-1699994,1700031,1700062,1700128,1700149,1700234,1700236,1
 700246,1700270,1700650,1700830,1702096,1702221,1702264,1703624,1704725,1708849,1709155-1709156,1709296,1748673,1757829,1758190,1758193,1804005,1804008,1804016,1804534,1805301

Modified: serf/branches/1.3.x/STATUS
URL: http://svn.apache.org/viewvc/serf/branches/1.3.x/STATUS?rev=1808213&r1=1808212&r2=1808213&view=diff
==============================================================================
--- serf/branches/1.3.x/STATUS (original)
+++ serf/branches/1.3.x/STATUS Wed Sep 13 08:45:26 2017
@@ -30,11 +30,3 @@ Veto-blocked changes:
 Approved changes:
 =================
 
- * r1805301
-   Fix an endless loop in the deflate bucket with the truncated input.
-   Justification:
-     Bug in the gzip/deflate decoder.
-   Branch:
-     ^/serf/branches/1.3.x-r1805301
-   Votes:
-     +1: kotkov, ivan, rhuijben

Modified: serf/branches/1.3.x/buckets/deflate_buckets.c
URL: http://svn.apache.org/viewvc/serf/branches/1.3.x/buckets/deflate_buckets.c?rev=1808213&r1=1808212&r2=1808213&view=diff
==============================================================================
--- serf/branches/1.3.x/buckets/deflate_buckets.c (original)
+++ serf/branches/1.3.x/buckets/deflate_buckets.c Wed Sep 13 08:45:26 2017
@@ -281,9 +281,17 @@ static apr_status_t serf_deflate_read(se
 
                 zRC = inflate(&ctx->zstream, Z_NO_FLUSH);
 
-                /* We're full or zlib requires more space. Either case, clear
-                   out our buffer, reset, and return. */
-                if (zRC == Z_BUF_ERROR || ctx->zstream.avail_out == 0) {
+                if (zRC == Z_BUF_ERROR && APR_STATUS_IS_EOF(ctx->stream_status) &&
+                    ctx->zstream.avail_out > 0) {
+                    /* Zlib can't continue, although there's still space in the
+                       output buffer.  This can happen either if the stream is
+                       truncated or corrupted.  As we don't know for sure,
+                       return a generic error. */
+                    return SERF_ERROR_DECOMPRESSION_FAILED;
+                }
+                else if (zRC == Z_BUF_ERROR || ctx->zstream.avail_out == 0) {
+                    /* We're full or zlib requires more space. Either case, clear
+                       out our buffer, reset, and return. */
                     serf_bucket_t *tmp;
                     ctx->zstream.next_out = ctx->buffer;
                     private_len = ctx->bufferSize - ctx->zstream.avail_out;

Modified: serf/branches/1.3.x/test/test_buckets.c
URL: http://svn.apache.org/viewvc/serf/branches/1.3.x/test/test_buckets.c?rev=1808213&r1=1808212&r2=1808213&view=diff
==============================================================================
--- serf/branches/1.3.x/test/test_buckets.c (original)
+++ serf/branches/1.3.x/test/test_buckets.c Wed Sep 13 08:45:26 2017
@@ -1667,6 +1667,35 @@ static void test_deflate_4GBplus_buckets
 #undef BUFSIZE
 }
 
+static void test_deflate_bucket_truncated_data(CuTest *tc)
+{
+    test_baton_t *tb = tc->testBaton;
+    serf_bucket_t *input;
+    serf_bucket_t *bkt;
+    serf_bucket_t *chunk;
+    serf_bucket_alloc_t *alloc = serf_bucket_allocator_create(tb->pool, NULL,
+                                                              NULL);
+
+    /* This is a valid, but truncated gzip data (in two chunks). */
+    input = serf_bucket_aggregate_create(alloc);
+    chunk = SERF_BUCKET_SIMPLE_STRING_LEN("\x1F\x8B\x08\x00\x00", 5, alloc);
+    serf_bucket_aggregate_append(input, chunk);
+    chunk = SERF_BUCKET_SIMPLE_STRING_LEN("\x00\x00\x00\x00\x03", 5, alloc);
+    serf_bucket_aggregate_append(input, chunk);
+
+    bkt = serf_bucket_deflate_create(input, alloc, SERF_DEFLATE_GZIP);
+    {
+        char buf[1024];
+        apr_size_t len;
+        apr_status_t status;
+
+        status = read_all(bkt, buf, sizeof(buf), &len);
+        CuAssertIntEquals(tc, SERF_ERROR_DECOMPRESSION_FAILED, status);
+    }
+
+    serf_bucket_destroy(bkt);
+}
+
 CuSuite *test_buckets(void)
 {
     CuSuite *suite = CuSuiteNew();
@@ -1701,6 +1730,7 @@ CuSuite *test_buckets(void)
        data so it's disabled by default. */
     SUITE_ADD_TEST(suite, test_deflate_4GBplus_buckets);
 #endif
+    SUITE_ADD_TEST(suite, test_deflate_bucket_truncated_data);
 
 #if 0
     SUITE_ADD_TEST(suite, test_serf_default_read_iovec);