You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by rp...@apache.org on 2008/02/27 12:31:56 UTC

svn commit: r631559 - in /apr/apr-util/branches/1.2.x: CHANGES buckets/apr_brigade.c

Author: rpluem
Date: Wed Feb 27 03:31:42 2008
New Revision: 631559

URL: http://svn.apache.org/viewvc?rev=631559&view=rev
Log:
Merge r630780, r631110, r631553 from trunk:

* apr_brigade_partition:

  Use a 64 bit unsigned int for all calculations of point to avoid overflows
  on systems where apr_off_t > apr_size_t (e.g. 32 bit with LFS)
  while still doing the correct thing on other systems where
  apr_off_t = apr_size_t. We currently do not support platforms
  where apr_off_t, apr_size_t > 64 bit.

* Add CHANGES entry for r630780.

* We are working with point64 here, no longer with point.

Submitted by: rpluem
Reviewed by: rpluem

Modified:
    apr/apr-util/branches/1.2.x/CHANGES
    apr/apr-util/branches/1.2.x/buckets/apr_brigade.c

Modified: apr/apr-util/branches/1.2.x/CHANGES
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.2.x/CHANGES?rev=631559&r1=631558&r2=631559&view=diff
==============================================================================
--- apr/apr-util/branches/1.2.x/CHANGES [utf-8] (original)
+++ apr/apr-util/branches/1.2.x/CHANGES [utf-8] Wed Feb 27 03:31:42 2008
@@ -2,6 +2,9 @@
 
 Changes with APR-util 1.2.13
 
+  *) Fix a regression in apr_brigade_partition that causes integer overflows
+     on systems where apr_off_t > apr_size_t.  [Ruediger Pluem]
+
   *) Ensure that apr_uri_unparse does not add scheme to URI if
      APR_URI_UNP_OMITSITEPART flag is set. PR 44044.
      [Michael Clark <michael metaparadigm.com>]

Modified: apr/apr-util/branches/1.2.x/buckets/apr_brigade.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.2.x/buckets/apr_brigade.c?rev=631559&r1=631558&r2=631559&view=diff
==============================================================================
--- apr/apr-util/branches/1.2.x/buckets/apr_brigade.c (original)
+++ apr/apr-util/branches/1.2.x/buckets/apr_brigade.c Wed Feb 27 03:31:42 2008
@@ -103,6 +103,7 @@
     apr_bucket *e;
     const char *s;
     apr_size_t len;
+    apr_uint64_t point64;
     apr_status_t rv;
 
     if (point < 0) {
@@ -114,17 +115,25 @@
         return APR_SUCCESS;
     }
 
+    /*
+     * Try to reduce the following casting mess: We know that point will be
+     * larger equal 0 now and forever and thus that point (apr_off_t) and
+     * apr_size_t will fit into apr_uint64_t in any case.
+     */
+    point64 = (apr_uint64_t)point;
+
     APR_BRIGADE_CHECK_CONSISTENCY(b);
 
     for (e = APR_BRIGADE_FIRST(b);
          e != APR_BRIGADE_SENTINEL(b);
          e = APR_BUCKET_NEXT(e))
     {
-        /* For an unknown length bucket, while 'point' is beyond the possible
+        /* For an unknown length bucket, while 'point64' is beyond the possible
          * size contained in apr_size_t, read and continue...
          */
-        if ((e->length == (apr_size_t)(-1)) && (point > MAX_APR_SIZE_T)) {
-            /* point is too far out to simply split this bucket,
+        if ((e->length == (apr_size_t)(-1))
+            && (point64 > (apr_uint64_t)MAX_APR_SIZE_T)) {
+            /* point64 is too far out to simply split this bucket,
              * we must fix this bucket's size and keep going... */
             rv = apr_bucket_read(e, &s, &len, APR_BLOCK_READ);
             if (rv != APR_SUCCESS) {
@@ -132,14 +141,15 @@
                 return rv;
             }
         }
-        else if (((apr_size_t)point < e->length) || (e->length == (apr_size_t)(-1))) {
-            /* We already consumed buckets where point is beyond 
-             * our interest ( point > MAX_APR_SIZE_T ), above.
-             * Here point falls between 0 and MAX_APR_SIZE_T 
+        else if ((point64 < (apr_uint64_t)e->length)
+                 || (e->length == (apr_size_t)(-1))) {
+            /* We already consumed buckets where point64 is beyond
+             * our interest ( point64 > MAX_APR_SIZE_T ), above.
+             * Here point falls between 0 and MAX_APR_SIZE_T
              * and is within this bucket, or this bucket's len
              * is undefined, so now we are ready to split it.
              * First try to split the bucket natively... */
-            if ((rv = apr_bucket_split(e, (apr_size_t)point)) 
+            if ((rv = apr_bucket_split(e, (apr_size_t)point64)) 
                     != APR_ENOTIMPL) {
                 *after_point = APR_BUCKET_NEXT(e);
                 return rv;
@@ -156,17 +166,17 @@
             /* this assumes that len == e->length, which is okay because e
              * might have been morphed by the apr_bucket_read() above, but
              * if it was, the length would have been adjusted appropriately */
-            if ((apr_size_t)point < e->length) {
-                rv = apr_bucket_split(e, (apr_size_t)point);
+            if (point64 < (apr_uint64_t)e->length) {
+                rv = apr_bucket_split(e, (apr_size_t)point64);
                 *after_point = APR_BUCKET_NEXT(e);
                 return rv;
             }
         }
-        if (point == e->length) {
+        if (point64 == (apr_uint64_t)e->length) {
             *after_point = APR_BUCKET_NEXT(e);
             return APR_SUCCESS;
         }
-        point -= e->length;
+        point64 -= (apr_uint64_t)e->length;
     }
     *after_point = APR_BRIGADE_SENTINEL(b); 
     return APR_INCOMPLETE;