You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by ph...@apache.org on 2014/04/16 18:39:29 UTC
svn commit: r1587968 - /subversion/trunk/subversion/libsvn_delta/svndiff.c
Author: philip
Date: Wed Apr 16 16:39:29 2014
New Revision: 1587968
URL: http://svn.apache.org/r1587968
Log:
Fix a case of reading beyond allocated memory with SVN0, i.e. pre-1.4,
FSFS repositories. This was identified by running svnadmin_tests.py 14
over ra_svn with svnserve running under valgrind.
* subversion/libsvn_delta/svndiff.c
(decode_window): Allocate, copy and add terminating null for SVN0, remove
incorrect comment for SVN1.
Modified:
subversion/trunk/subversion/libsvn_delta/svndiff.c
Modified: subversion/trunk/subversion/libsvn_delta/svndiff.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_delta/svndiff.c?rev=1587968&r1=1587967&r2=1587968&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_delta/svndiff.c (original)
+++ subversion/trunk/subversion/libsvn_delta/svndiff.c Wed Apr 16 16:39:29 2014
@@ -526,8 +526,6 @@ decode_window(svn_txdelta_window_t *wind
svn_stringbuf_t *instout = svn_stringbuf_create_empty(pool);
svn_stringbuf_t *ndout = svn_stringbuf_create_empty(pool);
- /* these may in fact simply return references to insend */
-
SVN_ERR(zlib_decode(insend, newlen, ndout,
SVN_DELTA_WINDOW_SIZE));
SVN_ERR(zlib_decode(data, insend - data, instout,
@@ -542,7 +540,13 @@ decode_window(svn_txdelta_window_t *wind
}
else
{
- new_data->data = (const char *) insend;
+ /* Copy the data because an svn_string_t must have the invariant
+ data[len]=='\0'. */
+ char *buf = apr_palloc(pool, newlen + 1);
+
+ memcpy(buf, insend, newlen);
+ buf[newlen] = '\0';
+ new_data->data = buf;
new_data->len = newlen;
}