You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by ko...@apache.org on 2015/12/07 10:48:45 UTC
svn commit: r1718267 - /subversion/trunk/subversion/libsvn_ra_svn/marshal.c
Author: kotkov
Date: Mon Dec 7 09:48:45 2015
New Revision: 1718267
URL: http://svn.apache.org/viewvc?rev=1718267&view=rev
Log:
Make the string unmarshalling code in libsvn_ra_svn resilient against
theoretically possible data corruptions.
* subversion/libsvn_ra_svn/marshal.c
(read_string): Adjust the conditions under which we use a shortcut.
Modified:
subversion/trunk/subversion/libsvn_ra_svn/marshal.c
Modified: subversion/trunk/subversion/libsvn_ra_svn/marshal.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_svn/marshal.c?rev=1718267&r1=1718266&r2=1718267&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_ra_svn/marshal.c (original)
+++ subversion/trunk/subversion/libsvn_ra_svn/marshal.c Mon Dec 7 09:48:45 2015
@@ -1194,6 +1194,7 @@ static svn_error_t *read_string(svn_ra_s
apr_size_t len = (apr_size_t)len64;
apr_size_t readbuf_len;
char *dest;
+ apr_size_t buflen;
/* We can't store strings longer than the maximum size of apr_size_t,
* so check before using the truncated value. */
@@ -1201,8 +1202,9 @@ static svn_error_t *read_string(svn_ra_s
return svn_error_create(SVN_ERR_RA_SVN_MALFORMED_DATA, NULL,
_("String length larger than maximum"));
+ buflen = conn->read_end - conn->read_ptr;
/* Shorter strings can be copied directly from the read buffer. */
- if (conn->read_ptr + len <= conn->read_end)
+ if (len <= buflen)
{
item->kind = SVN_RA_SVN_STRING;
item->u.string.data = apr_pstrmemdup(pool, conn->read_ptr, len);