Author: philip
Date: Thu Nov 24 14:36:47 2011
New Revision: 1205848
URL: http://svn.apache.org/viewvc?rev=1205848&view=rev
Log:
Fix a potential read beyond allocated memory.
* subversion/libsvn_fs_base/bdb/locks-table.c
(svn_fs_bdb__locks_get): When the BDB key is a path don't rely on it
being null terminated.
Modified:
subversion/trunk/subversion/libsvn_fs_base/bdb/locks-table.c
Modified: subversion/trunk/subversion/libsvn_fs_base/bdb/locks-table.c
URL:
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_base/bdb/locks-table.c?rev=1205848&r1=1205847&r2=1205848&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_base/bdb/locks-table.c (original)
+++ subversion/trunk/subversion/libsvn_fs_base/bdb/locks-table.c Thu Nov 24
14:36:47 2011
@@ -207,6 +207,7 @@ svn_fs_bdb__locks_get(svn_fs_t *fs,
svn_lock_t *lock;
svn_error_t *err;
const char *lookup_path = path;
+ apr_size_t lookup_len;
/* First, try to lookup PATH itself. */
err = svn_fs_bdb__lock_token_get(&lock_token, fs, path, trail, pool);
@@ -255,11 +256,13 @@ svn_fs_bdb__locks_get(svn_fs_t *fs,
if (!svn_fspath__is_root(path, strlen(path)))
lookup_path = apr_pstrcat(pool, path, "/", (char *)NULL);
+ lookup_len = strlen(lookup_path);
/* As long as the prefix of the returned KEY matches LOOKUP_PATH we
know it is either LOOKUP_PATH or a decendant thereof. */
while ((! db_err)
- && strncmp(lookup_path, key.data, strlen(lookup_path)) == 0)
+ && lookup_len < key.size
+ && strncmp(lookup_path, key.data, lookup_len) == 0)
{
const char *child_path;
