You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by Sander Striker <st...@apache.org> on 2001/08/23 16:00:24 UTC

Possible segfault in apr_pvsprintf

Hi,

In addition to the possible segfault in apr_palloc
when no abort function is set and we're out of mem,
there is another possible segfault in apr_pvsprintf.
This one is even worse, because there is no abort
function.

Excerpt from apr_pools.c:psprintf_flush():

    /* must try another blok */
#if APR_HAS_THREADS
    apr_lock_acquire(alloc_mutex);
#endif
    nblok = new_block(2 * cur_len, NULL);
#if APR_HAS_THREADS
    apr_lock_release(alloc_mutex);
#endif
    memcpy(nblok->h.first_avail, blok->h.first_avail, cur_len);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ps->vbuff.curpos = nblok->h.first_avail + cur_len;
    /* save a byte for the NUL terminator */
    ps->vbuff.endpos = nblok->h.endp - 1;

The code will segfault when out of mem occurs within psprintf_flush
at the moment at the marked line.

Sander