pike.git/ src/ modules/ _Roxen/ roxen.c

2003-04-14

2003-04-14 14:24:03 by Martin Stjernholm <mast@lysator.liu.se>

• 21dc265e54408be4e6bfc763fc71e4509d2ac7cd (15 lines) (+9/-6) ^{[ Show | Annotate ]}
  Branch: 7.9

Fixed dereferencing of possibly freed memory, which under rare circumstances
can cause buffer overflows.

Rev: src/modules/_Roxen/roxen.c:1.34

2:   || This file is part of Pike. For copyright information see COPYRIGHT.   || Pike is distributed under GPL, LGPL and MPL. See the file COPYING   || for more information. - || $Id: roxen.c,v 1.33 2003/03/14 15:57:49 grubba Exp $ + || $Id: roxen.c,v 1.34 2003/04/14 14:24:03 mast Exp $   */      #define NO_PIKE_SHORTHAND
75:   {    struct pike_string *str = Pike_sp[-1].u.string;    struct header_buf *hp = THP; +  int str_len;    int tot_slash_n=hp->slash_n, slash_n = 0, spc = hp->spc;    char *pp,*ep;    struct svalue *tmp;
86:    Pike_error("Wrong type of argument to feed()\n");    if( str->size_shift )    Pike_error("Wide string headers not supported\n"); -  while( str->len >= hp->left ) +  str_len = str->len; +  while( str_len >= hp->left )    {    char *buf;    if( THP->hsize > 512 * 1024 )
105:    THP->pnt = (THP->headers + THP->hsize - THP->left);    }    -  MEMCPY( hp->pnt, str->str, str->len ); +  MEMCPY( hp->pnt, str->str, str_len );    pop_n_elems( args );       /* FIXME: The below does not support lines terminated with just \r. */ -  for( ep=(hp->pnt+str->len),pp=MAXIMUM(hp->headers,hp->pnt-3); +  for( ep=(hp->pnt+str_len),pp=MAXIMUM(hp->headers,hp->pnt-3);    pp<ep && slash_n<2; pp++ )    if( *pp == ' ' ) spc++;    else if( *pp == '\n' ) slash_n++, tot_slash_n++;
118:    hp->slash_n = tot_slash_n;    hp->spc = spc;    -  hp->left -= str->len; -  hp->pnt += str->len; +  hp->left -= str_len; +  hp->pnt += str_len;    hp->pnt[0] = 0;       if( slash_n != 2 )