DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |PatchAvailable ------- Additional Comments From [EMAIL PROTECTED] 2007-09-06 19:45 ------- I reviewed the patch. Patch looks ok to me. Here is the description of the bug : In ap_vrprintf, vrprintf_buf is a array allocated on stack of 8192 bytes. ap_vrprintf invokes ap_vformatter to format the string. ap_vformatter prints the data character by character, if buffer is overflowed, then it flushes the data and reset the vdbuf.curpos to beginning of buffer. If the size of the output is a multiplication of 8192 then after ap_vformatter returns, vbuff.curpos just passes one byte after the allocated value. (ap_vformatter himself doesn't write beyond the allocated buffer). We can't write NULL to this value as it overflow the buffer. For a request with /test/?8192, here is the debugger session : Breakpoint 1, ap_vrprintf (r=0x91f6028, fmt=0xd137af "%s", va=0xb731d218 "(ÜM\t\005") at protocol.c:1530 1530 vd.vbuff.curpos = vrprintf_buf; (gdb) n 1531 vd.vbuff.endpos = vrprintf_buf + AP_IOBUFSIZE; (gdb) n 1532 vd.r = r; (gdb) n 1533 vd.buff = vrprintf_buf; (gdb) n 1535 if (r->connection->aborted) (gdb) n 1538 written = apr_vformatter(r_flush, &vd.vbuff, fmt, va); (gdb) n 1541 *(vd.vbuff.curpos) = '\0'; (gdb) p vd.vbuff.curpos - vrprintf_buf $1 = 8192 (gdb) p sizeof(vrprintf_buf) $2 = 8192 (gdb) This patch deletes the statement which sets the null value. This null value is not used later in the function. buffer_output function flushes rest of the data and it doesn't see the data beyond vdbuff.curpos. Also buffer_output doesn't make any call which assumes NULL character at the end. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
