You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by rp...@apache.org on 2008/02/27 12:31:56 UTC
svn commit: r631559 - in /apr/apr-util/branches/1.2.x: CHANGES
buckets/apr_brigade.c
Author: rpluem
Date: Wed Feb 27 03:31:42 2008
New Revision: 631559
URL: http://svn.apache.org/viewvc?rev=631559&view=rev
Log:
Merge r630780, r631110, r631553 from trunk:
* apr_brigade_partition:
Use a 64 bit unsigned int for all calculations of point to avoid overflows
on systems where apr_off_t > apr_size_t (e.g. 32 bit with LFS)
while still doing the correct thing on other systems where
apr_off_t = apr_size_t. We currently do not support platforms
where apr_off_t, apr_size_t > 64 bit.
* Add CHANGES entry for r630780.
* We are working with point64 here, no longer with point.
Submitted by: rpluem
Reviewed by: rpluem
Modified:
apr/apr-util/branches/1.2.x/CHANGES
apr/apr-util/branches/1.2.x/buckets/apr_brigade.c
Modified: apr/apr-util/branches/1.2.x/CHANGES
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.2.x/CHANGES?rev=631559&r1=631558&r2=631559&view=diff
==============================================================================
--- apr/apr-util/branches/1.2.x/CHANGES [utf-8] (original)
+++ apr/apr-util/branches/1.2.x/CHANGES [utf-8] Wed Feb 27 03:31:42 2008
@@ -2,6 +2,9 @@
Changes with APR-util 1.2.13
+ *) Fix a regression in apr_brigade_partition that causes integer overflows
+ on systems where apr_off_t > apr_size_t. [Ruediger Pluem]
+
*) Ensure that apr_uri_unparse does not add scheme to URI if
APR_URI_UNP_OMITSITEPART flag is set. PR 44044.
[Michael Clark <michael metaparadigm.com>]
Modified: apr/apr-util/branches/1.2.x/buckets/apr_brigade.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.2.x/buckets/apr_brigade.c?rev=631559&r1=631558&r2=631559&view=diff
==============================================================================
--- apr/apr-util/branches/1.2.x/buckets/apr_brigade.c (original)
+++ apr/apr-util/branches/1.2.x/buckets/apr_brigade.c Wed Feb 27 03:31:42 2008
@@ -103,6 +103,7 @@
apr_bucket *e;
const char *s;
apr_size_t len;
+ apr_uint64_t point64;
apr_status_t rv;
if (point < 0) {
@@ -114,17 +115,25 @@
return APR_SUCCESS;
}
+ /*
+ * Try to reduce the following casting mess: We know that point will be
+ * larger equal 0 now and forever and thus that point (apr_off_t) and
+ * apr_size_t will fit into apr_uint64_t in any case.
+ */
+ point64 = (apr_uint64_t)point;
+
APR_BRIGADE_CHECK_CONSISTENCY(b);
for (e = APR_BRIGADE_FIRST(b);
e != APR_BRIGADE_SENTINEL(b);
e = APR_BUCKET_NEXT(e))
{
- /* For an unknown length bucket, while 'point' is beyond the possible
+ /* For an unknown length bucket, while 'point64' is beyond the possible
* size contained in apr_size_t, read and continue...
*/
- if ((e->length == (apr_size_t)(-1)) && (point > MAX_APR_SIZE_T)) {
- /* point is too far out to simply split this bucket,
+ if ((e->length == (apr_size_t)(-1))
+ && (point64 > (apr_uint64_t)MAX_APR_SIZE_T)) {
+ /* point64 is too far out to simply split this bucket,
* we must fix this bucket's size and keep going... */
rv = apr_bucket_read(e, &s, &len, APR_BLOCK_READ);
if (rv != APR_SUCCESS) {
@@ -132,14 +141,15 @@
return rv;
}
}
- else if (((apr_size_t)point < e->length) || (e->length == (apr_size_t)(-1))) {
- /* We already consumed buckets where point is beyond
- * our interest ( point > MAX_APR_SIZE_T ), above.
- * Here point falls between 0 and MAX_APR_SIZE_T
+ else if ((point64 < (apr_uint64_t)e->length)
+ || (e->length == (apr_size_t)(-1))) {
+ /* We already consumed buckets where point64 is beyond
+ * our interest ( point64 > MAX_APR_SIZE_T ), above.
+ * Here point falls between 0 and MAX_APR_SIZE_T
* and is within this bucket, or this bucket's len
* is undefined, so now we are ready to split it.
* First try to split the bucket natively... */
- if ((rv = apr_bucket_split(e, (apr_size_t)point))
+ if ((rv = apr_bucket_split(e, (apr_size_t)point64))
!= APR_ENOTIMPL) {
*after_point = APR_BUCKET_NEXT(e);
return rv;
@@ -156,17 +166,17 @@
/* this assumes that len == e->length, which is okay because e
* might have been morphed by the apr_bucket_read() above, but
* if it was, the length would have been adjusted appropriately */
- if ((apr_size_t)point < e->length) {
- rv = apr_bucket_split(e, (apr_size_t)point);
+ if (point64 < (apr_uint64_t)e->length) {
+ rv = apr_bucket_split(e, (apr_size_t)point64);
*after_point = APR_BUCKET_NEXT(e);
return rv;
}
}
- if (point == e->length) {
+ if (point64 == (apr_uint64_t)e->length) {
*after_point = APR_BUCKET_NEXT(e);
return APR_SUCCESS;
}
- point -= e->length;
+ point64 -= (apr_uint64_t)e->length;
}
*after_point = APR_BRIGADE_SENTINEL(b);
return APR_INCOMPLETE;