You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@subversion.apache.org by ko...@apache.org on 2015/12/07 10:48:45 UTC

svn commit: r1718267 - /subversion/trunk/subversion/libsvn_ra_svn/marshal.c

Author: kotkov
Date: Mon Dec  7 09:48:45 2015
New Revision: 1718267

URL: http://svn.apache.org/viewvc?rev=1718267&view=rev
Log:
Make the string unmarshalling code in libsvn_ra_svn resilient against
theoretically possible data corruptions.

* subversion/libsvn_ra_svn/marshal.c
  (read_string): Adjust the conditions under which we use a shortcut.

Modified:
    subversion/trunk/subversion/libsvn_ra_svn/marshal.c

Modified: subversion/trunk/subversion/libsvn_ra_svn/marshal.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_svn/marshal.c?rev=1718267&r1=1718266&r2=1718267&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_ra_svn/marshal.c (original)
+++ subversion/trunk/subversion/libsvn_ra_svn/marshal.c Mon Dec  7 09:48:45 2015
@@ -1194,6 +1194,7 @@ static svn_error_t *read_string(svn_ra_s
   apr_size_t len = (apr_size_t)len64;
   apr_size_t readbuf_len;
   char *dest;
+  apr_size_t buflen;
 
   /* We can't store strings longer than the maximum size of apr_size_t,
    * so check before using the truncated value. */
@@ -1201,8 +1202,9 @@ static svn_error_t *read_string(svn_ra_s
     return svn_error_create(SVN_ERR_RA_SVN_MALFORMED_DATA, NULL,
                             _("String length larger than maximum"));
 
+  buflen = conn->read_end - conn->read_ptr;
   /* Shorter strings can be copied directly from the read buffer. */
-  if (conn->read_ptr + len <= conn->read_end)
+  if (len <= buflen)
     {
       item->kind = SVN_RA_SVN_STRING;
       item->u.string.data = apr_pstrmemdup(pool, conn->read_ptr, len);