You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2007/10/23 11:52:53 UTC
svn commit: r587434 - /apr/apr-util/trunk/buckets/apr_brigade.c
Author: wrowe
Date: Tue Oct 23 02:52:53 2007
New Revision: 587434
URL: http://svn.apache.org/viewvc?rev=587434&view=rev
Log:
Folks, I'd appreciate if this received extra attention;
I believe my analysis is correct that we protect from
the cases where the off_t 'point' arg (signed!) falls
out of scope of the size_t e->length (equivilant or
smaller sized, and unsigned.)
We could use an official MAX_SIZE_T - heh.
Modified:
apr/apr-util/trunk/buckets/apr_brigade.c
Modified: apr/apr-util/trunk/buckets/apr_brigade.c
URL: http://svn.apache.org/viewvc/apr/apr-util/trunk/buckets/apr_brigade.c?rev=587434&r1=587433&r2=587434&view=diff
==============================================================================
--- apr/apr-util/trunk/buckets/apr_brigade.c (original)
+++ apr/apr-util/trunk/buckets/apr_brigade.c Tue Oct 23 02:52:53 2007
@@ -114,6 +114,11 @@
e != APR_BRIGADE_SENTINEL(b);
e = APR_BUCKET_NEXT(e))
{
+ /* XXX: 2's compliment math error here, (apr_size_t)(-1) is not
+ * a sufficient replacement for MAX_SIZE_T (compared to 'point' here);
+ * For an unknown length bucket, while 'point' is beyond the possible
+ * size contained in apr_size_t, read and continue...
+ */
if ((e->length == (apr_size_t)(-1)) && (point > (apr_size_t)(-1))) {
/* point is too far out to simply split this bucket,
* we must fix this bucket's size and keep going... */
@@ -123,9 +128,12 @@
return rv;
}
}
- if ((point < e->length) || (e->length == (apr_size_t)(-1))) {
- /* We already checked e->length -1 above, so we now
- * trust e->length < MAX_APR_SIZE_T.
+ else if (((apr_size_t)point < e->length) || (e->length == (apr_size_t)(-1))) {
+ /* We already consumed buckets where point is beyond
+ * our interest ( point > MAX_APR_SIZE_T ), above.
+ * Here point falls between 0 and MAX_APR_SIZE_T
+ * and is within this bucket, or this bucket's len
+ * is undefined, so now we are ready to split it.
* First try to split the bucket natively... */
if ((rv = apr_bucket_split(e, (apr_size_t)point))
!= APR_ENOTIMPL) {
@@ -144,7 +152,7 @@
/* this assumes that len == e->length, which is okay because e
* might have been morphed by the apr_bucket_read() above, but
* if it was, the length would have been adjusted appropriately */
- if (point < e->length) {
+ if ((apr_size_t)point < e->length) {
rv = apr_bucket_split(e, (apr_size_t)point);
*after_point = APR_BUCKET_NEXT(e);
return rv;
@@ -344,7 +352,7 @@
++vec;
}
- *nvec = vec - orig;
+ *nvec = (int)(vec - orig);
return APR_SUCCESS;
}