You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2007/10/23 11:52:53 UTC

svn commit: r587434 - /apr/apr-util/trunk/buckets/apr_brigade.c

Author: wrowe
Date: Tue Oct 23 02:52:53 2007
New Revision: 587434

URL: http://svn.apache.org/viewvc?rev=587434&view=rev
Log:
Folks, I'd appreciate if this received extra attention;
I believe my analysis is correct that we protect from
the cases where the off_t 'point' arg (signed!) falls
out of scope of the size_t e->length (equivilant or
smaller sized, and unsigned.)

We could use an official MAX_SIZE_T - heh.

Modified:
    apr/apr-util/trunk/buckets/apr_brigade.c

Modified: apr/apr-util/trunk/buckets/apr_brigade.c
URL: http://svn.apache.org/viewvc/apr/apr-util/trunk/buckets/apr_brigade.c?rev=587434&r1=587433&r2=587434&view=diff
==============================================================================
--- apr/apr-util/trunk/buckets/apr_brigade.c (original)
+++ apr/apr-util/trunk/buckets/apr_brigade.c Tue Oct 23 02:52:53 2007
@@ -114,6 +114,11 @@
          e != APR_BRIGADE_SENTINEL(b);
          e = APR_BUCKET_NEXT(e))
     {
+        /* XXX: 2's compliment math error here, (apr_size_t)(-1) is not
+         * a sufficient replacement for MAX_SIZE_T (compared to 'point' here);
+         * For an unknown length bucket, while 'point' is beyond the possible
+         * size contained in apr_size_t, read and continue...
+         */
         if ((e->length == (apr_size_t)(-1)) && (point > (apr_size_t)(-1))) {
             /* point is too far out to simply split this bucket,
              * we must fix this bucket's size and keep going... */
@@ -123,9 +128,12 @@
                 return rv;
             }
         }
-        if ((point < e->length) || (e->length == (apr_size_t)(-1))) {
-            /* We already checked e->length -1 above, so we now
-             * trust e->length < MAX_APR_SIZE_T.
+        else if (((apr_size_t)point < e->length) || (e->length == (apr_size_t)(-1))) {
+            /* We already consumed buckets where point is beyond 
+             * our interest ( point > MAX_APR_SIZE_T ), above.
+             * Here point falls between 0 and MAX_APR_SIZE_T 
+             * and is within this bucket, or this bucket's len
+             * is undefined, so now we are ready to split it.
              * First try to split the bucket natively... */
             if ((rv = apr_bucket_split(e, (apr_size_t)point)) 
                     != APR_ENOTIMPL) {
@@ -144,7 +152,7 @@
             /* this assumes that len == e->length, which is okay because e
              * might have been morphed by the apr_bucket_read() above, but
              * if it was, the length would have been adjusted appropriately */
-            if (point < e->length) {
+            if ((apr_size_t)point < e->length) {
                 rv = apr_bucket_split(e, (apr_size_t)point);
                 *after_point = APR_BUCKET_NEXT(e);
                 return rv;
@@ -344,7 +352,7 @@
         ++vec;
     }
 
-    *nvec = vec - orig;
+    *nvec = (int)(vec - orig);
     return APR_SUCCESS;
 }