You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2015/11/30 22:36:20 UTC

svn commit: r1717332 - in /subversion/trunk/subversion: libsvn_fs_fs/cached_data.c libsvn_fs_fs/index.c libsvn_fs_fs/pack.c libsvn_fs_fs/revprops.c libsvn_subr/base64.c libsvn_subr/stream.c libsvn_subr/string.c

Author: stefan2
Date: Mon Nov 30 21:36:20 2015
New Revision: 1717332

URL: http://svn.apache.org/viewvc?rev=1717332&view=rev
Log:
Continue work started in r1714372: 
Fix a number of potential overflow conditions on platforms where pointers
may be allocated very close to the end of address space, such as WoW64.
Same for systems with 32 bit file offsets.

There is no direct way to trigger the respective overflow conditions but
this patch makes the code more resilient against repository corruption and
failures higher up in the call stack.

* subversion/libsvn_fs_fs/cached_data.c
  (block_read): Instead of "base + x < max", we must check "max - base > x"
                to prevent overflows under all circumstances.

* subversion/libsvn_fs_fs/index.c
  (svn_fs_fs__l2p_get_max_ids): Same.

* subversion/libsvn_fs_fs/pack.c
  (pack_log_addressed): Same.

* subversion/libsvn_fs_fs/revprops.c
  (parse_packed_revprops): Same.

* subversion/libsvn_subr/base64.c
  (encode_bytes,
   decode_bytes): Same.

* subversion/libsvn_subr/stream.c
  (svn_stringbuf_from_stream): Same.

* subversion/libsvn_subr/string.c
  (svn_cstring__match_length): Same. 

Modified:
    subversion/trunk/subversion/libsvn_fs_fs/cached_data.c
    subversion/trunk/subversion/libsvn_fs_fs/index.c
    subversion/trunk/subversion/libsvn_fs_fs/pack.c
    subversion/trunk/subversion/libsvn_fs_fs/revprops.c
    subversion/trunk/subversion/libsvn_subr/base64.c
    subversion/trunk/subversion/libsvn_subr/stream.c
    subversion/trunk/subversion/libsvn_subr/string.c

Modified: subversion/trunk/subversion/libsvn_fs_fs/cached_data.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/cached_data.c?rev=1717332&r1=1717331&r2=1717332&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/cached_data.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/cached_data.c Mon Nov 30 21:36:20 2015
@@ -3540,7 +3540,7 @@ block_read(void **result,
               /* if we crossed a block boundary, read the remainder of
                * the last block as well */
               offset = entry->offset + entry->size;
-              if (offset > block_start + ffd->block_size)
+              if (offset - block_start > ffd->block_size)
                 ++run_count;
             }
         }

Modified: subversion/trunk/subversion/libsvn_fs_fs/index.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/index.c?rev=1717332&r1=1717331&r2=1717332&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/index.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/index.c Mon Nov 30 21:36:20 2015
@@ -1736,7 +1736,7 @@ svn_fs_fs__l2p_get_max_ids(apr_array_hea
       apr_uint64_t item_count;
       apr_size_t first_page_index, last_page_index;
 
-      if (revision >= header->first_revision + header->revision_count)
+      if (revision - header->first_revision >= header->revision_count)
         {
           /* need to read the next index. Clear up memory used for the
            * previous one.  Note that intermittent pack runs do not change

Modified: subversion/trunk/subversion/libsvn_fs_fs/pack.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/pack.c?rev=1717332&r1=1717331&r2=1717332&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/pack.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/pack.c Mon Nov 30 21:36:20 2015
@@ -1560,7 +1560,8 @@ pack_log_addressed(svn_fs_t *fs,
 
   /* pack revisions in ranges that don't exceed MAX_MEM */
   for (i = 0; i < max_ids->nelts; ++i)
-    if (APR_ARRAY_IDX(max_ids, i, apr_uint64_t) + item_count <= max_items)
+    if (   APR_ARRAY_IDX(max_ids, i, apr_uint64_t)
+        <= (apr_uint64_t)max_items - item_count)
       {
         context.end_rev++;
       }

Modified: subversion/trunk/subversion/libsvn_fs_fs/revprops.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/revprops.c?rev=1717332&r1=1717331&r2=1717332&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/revprops.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/revprops.c Mon Nov 30 21:36:20 2015
@@ -524,7 +524,7 @@ parse_packed_revprops(svn_fs_t *fs,
       /* read & check the serialized size */
       SVN_ERR(svn_fs_fs__read_number_from_stream(&size, NULL, stream,
                                                  iterpool));
-      if (size + offset > (apr_int64_t)revprops->packed_revprops->len)
+      if (size > (apr_int64_t)revprops->packed_revprops->len - offset)
         return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
                         _("Packed revprop size exceeds pack file size"));
 

Modified: subversion/trunk/subversion/libsvn_subr/base64.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/base64.c?rev=1717332&r1=1717331&r2=1717332&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/base64.c (original)
+++ subversion/trunk/subversion/libsvn_subr/base64.c Mon Nov 30 21:36:20 2015
@@ -141,7 +141,7 @@ encode_bytes(svn_stringbuf_t *str, const
   svn_stringbuf_ensure(str, str->len + buflen);
 
   /* Keep encoding three-byte groups until we run out.  */
-  while (*inbuflen + (end - p) >= 3)
+  while ((end - p) >= (3 - *inbuflen))
     {
       /* May we encode BYTES_PER_LINE bytes without caring about
          line breaks, data in the temporary INBUF or running out
@@ -430,7 +430,7 @@ decode_bytes(svn_stringbuf_t *str, const
       /* If no data is left in temporary INBUF and there is at least
          one line-sized chunk left to decode, we may use the optimized
          code path. */
-      if ((*inbuflen == 0) && (p + BASE64_LINELEN <= end))
+      if ((*inbuflen == 0) && (end - p >= BASE64_LINELEN))
         if (decode_line(str, &p))
           continue;
 

Modified: subversion/trunk/subversion/libsvn_subr/stream.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/stream.c?rev=1717332&r1=1717331&r2=1717332&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/stream.c (original)
+++ subversion/trunk/subversion/libsvn_subr/stream.c Mon Nov 30 21:36:20 2015
@@ -1513,7 +1513,7 @@ svn_stringbuf_from_stream(svn_stringbuf_
       if (actually_read < to_read)
         break;
 
-      if (text->blocksize < text->len + MIN_READ_SIZE)
+      if (text->blocksize - text->len < MIN_READ_SIZE)
         svn_stringbuf_ensure(text, text->blocksize * 2);
     }
 

Modified: subversion/trunk/subversion/libsvn_subr/string.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/string.c?rev=1717332&r1=1717331&r2=1717332&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/string.c (original)
+++ subversion/trunk/subversion/libsvn_subr/string.c Mon Nov 30 21:36:20 2015
@@ -1421,7 +1421,7 @@ svn_cstring__match_length(const char *a,
    * because A and B will probably have different alignment. So, skipping
    * the first few chars until alignment is reached is not an option.
    */
-  for (; pos + sizeof(apr_size_t) <= max_len; pos += sizeof(apr_size_t))
+  for (; max_len - pos >= sizeof(apr_size_t); pos += sizeof(apr_size_t))
     if (*(const apr_size_t*)(a + pos) != *(const apr_size_t*)(b + pos))
       break;