You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@subversion.apache.org by iv...@apache.org on 2015/09/30 10:22:51 UTC

svn commit: r1705979 - /subversion/trunk/subversion/libsvn_diff/parse-diff.c

Author: ivan
Date: Wed Sep 30 08:22:51 2015
New Revision: 1705979

URL: http://svn.apache.org/viewvc?rev=1705979&view=rev
Log:
Fix potential unbounded memory usage in patch parser.

* subversion/libsvn_diff/parse-diff.c
  (hunk_readline_original_or_modified): Add LAST_POOL and use for allocations
   in loop body. Clear LAST_POOL on every iteration. It's not ITERPOOL because
   we use data allocated in LAST_POOL out of the loop body.

Modified:
    subversion/trunk/subversion/libsvn_diff/parse-diff.c

Modified: subversion/trunk/subversion/libsvn_diff/parse-diff.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_diff/parse-diff.c?rev=1705979&r1=1705978&r2=1705979&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_diff/parse-diff.c (original)
+++ subversion/trunk/subversion/libsvn_diff/parse-diff.c Wed Sep 30 08:22:51 2015
@@ -655,6 +655,7 @@ hunk_readline_original_or_modified(apr_f
   apr_off_t pos;
   svn_stringbuf_t *str;
   const char *eol_p;
+  apr_pool_t *last_pool;
 
   if (!eol)
     eol = &eol_p;
@@ -671,13 +672,19 @@ hunk_readline_original_or_modified(apr_f
   pos = 0;
   SVN_ERR(svn_io_file_seek(file, APR_CUR, &pos,  scratch_pool));
   SVN_ERR(svn_io_file_seek(file, APR_SET, &range->current, scratch_pool));
+
+  /* It's not ITERPOOL because we use data allocated in LAST_POOL out
+     of the loop. */
+  last_pool = svn_pool_create(scratch_pool);
   do
     {
+      svn_pool_clear(last_pool);
+
       max_len = range->end - range->current;
       SVN_ERR(svn_io_file_readline(file, &str, eol, eof, max_len,
-                                   result_pool, scratch_pool));
+                                   last_pool, last_pool));
       range->current = 0;
-      SVN_ERR(svn_io_file_seek(file, APR_CUR, &range->current, scratch_pool));
+      SVN_ERR(svn_io_file_seek(file, APR_CUR, &range->current, last_pool));
       filtered = (str->data[0] == verboten || str->data[0] == '\\');
     }
   while (filtered && ! *eof);
@@ -725,6 +732,7 @@ hunk_readline_original_or_modified(apr_f
     }
   SVN_ERR(svn_io_file_seek(file, APR_SET, &pos, scratch_pool));
 
+  svn_pool_destroy(last_pool);
   return SVN_NO_ERROR;
 }