You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-dev@axis.apache.org by "Stipcevic, Marc" <Ma...@brukeroptics.de> on 2011/08/10 16:28:24 UTC

Bug in axutil_stream_write_basic

Hi,

I found a bug in the file stream.c in the project axutil
If (Line 178) AXIS2_FREE(env->allocator, stream->buffer_head); frees a stream which len == his max_len a heap corruption appears
because in allocater.c (Line 120) the function axutil_allocator_free_impl frees a pointer with wrong size (1 byte to much).

This error could only happen if the length of the buffer is a multiple of 2048 because in the file stream.c in the function
axutil_stream_write_basic (Line 306) if(new_len > stream->max_len) the string become only larger if the max_len is bigger than the
len not if max_len == len.
If this case happen at the end of the programm a heap corruption appears.

The Solution would be
if(new_len >= stream->max_len)
instead of
if(new_len > stream->max_len)

Did someone knows this bug and exists a offical patch / fix for it?

Best Regards ( and sorry for my terrible english)

Marc Stipcevic

Re: Bug in axutil_stream_write_basic

Posted by Samisa Abeysinghe <sa...@gmail.com>.

Good catch and thanks for the suggested fix. I will have a look and commit
this for upcoming 1.7.0 release.

Samisa Abeysinghe

http://samisa-abeysinghe.blogspot.com/
On Wed, Aug 10, 2011 at 7:58 PM, Stipcevic, Marc <
Marc.Stipcevic@brukeroptics.de> wrote:

> **
> Hi,
>
>  I found a bug in the file stream.c in the project axutil
> If (Line 178) AXIS2_FREE(env->allocator, stream->buffer_head); frees a
> stream which len == his max_len a heap corruption appears
> because in allocater.c (Line 120) the function axutil_allocator_free_impl
> frees a pointer with wrong size (1 byte to much).
>
>  This error could only happen if the length of the buffer is a multiple of
> 2048 because in the file stream.c in the function
> axutil_stream_write_basic (Line 306) if(new_len > stream->max_len) the
> string become only larger if the max_len is bigger than the
> len not if max_len == len.
> If this case happen at the end of the programm a heap corruption appears.
>
>  The Solution would be
> if(new_len >= stream->max_len)
> instead of
> if(new_len > stream->max_len)
>
>  Did someone knows this bug and exists a offical patch / fix for it?
>
>  Best Regards ( and sorry for my terrible english)
>
>  Marc Stipcevic
>
>