Repository: thrift
Updated Branches:
  refs/heads/master de112fbb0 -> 20116c6c0


THRIFT-3821 Check for overflow on buffer resize in TMemoryBuffer
Client: C++

This closes #1326


Project: http://git-wip-us.apache.org/repos/asf/thrift/repo
Commit: http://git-wip-us.apache.org/repos/asf/thrift/commit/20116c6c
Tree: http://git-wip-us.apache.org/repos/asf/thrift/tree/20116c6c
Diff: http://git-wip-us.apache.org/repos/asf/thrift/diff/20116c6c

Branch: refs/heads/master
Commit: 20116c6c0c5e3db2b65bdfd974b64c3d741adb8b
Parents: de112fb
Author: Alex Şuhan <alex.su...@gmail.com>
Authored: Thu Aug 3 12:28:17 2017 -0700
Committer: James E. King, III <jk...@apache.org>
Committed: Sat Aug 12 20:03:19 2017 -0700

----------------------------------------------------------------------
 lib/cpp/src/thrift/transport/TBufferTransports.cpp |  6 +++++-
 lib/cpp/test/TMemoryBufferTest.cpp                 | 13 +++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/thrift/blob/20116c6c/lib/cpp/src/thrift/transport/TBufferTransports.cpp
----------------------------------------------------------------------
diff --git a/lib/cpp/src/thrift/transport/TBufferTransports.cpp 
b/lib/cpp/src/thrift/transport/TBufferTransports.cpp
index 700bdd5..ed5e927 100644
--- a/lib/cpp/src/thrift/transport/TBufferTransports.cpp
+++ b/lib/cpp/src/thrift/transport/TBufferTransports.cpp
@@ -361,9 +361,13 @@ void TMemoryBuffer::ensureCanWrite(uint32_t len) {
   }
 
   // Grow the buffer as necessary.
-  uint32_t new_size = bufferSize_;
+  uint64_t new_size = bufferSize_;
   while (len > avail) {
     new_size = new_size > 0 ? new_size * 2 : 1;
+    if (new_size > std::numeric_limits<uint32_t>::max()) {
+      throw TTransportException(TTransportException::BAD_ARGS,
+                                "Internal buffer size exceeded 2GB");
+    }
     avail = available_write() + (new_size - bufferSize_);
   }
 

http://git-wip-us.apache.org/repos/asf/thrift/blob/20116c6c/lib/cpp/test/TMemoryBufferTest.cpp
----------------------------------------------------------------------
diff --git a/lib/cpp/test/TMemoryBufferTest.cpp 
b/lib/cpp/test/TMemoryBufferTest.cpp
index 1586609..aa44b16 100644
--- a/lib/cpp/test/TMemoryBufferTest.cpp
+++ b/lib/cpp/test/TMemoryBufferTest.cpp
@@ -117,4 +117,17 @@ BOOST_AUTO_TEST_CASE(test_exceptions) {
   BOOST_CHECK_NO_THROW(buf2.write((const uint8_t*)"bar", 3));
 }
 
+#ifndef _WIN32
+// We can't allocate 1 GB of memory in 32-bit environments.
+BOOST_AUTO_TEST_CASE(test_over_two_gb) {
+  TMemoryBuffer buf;
+  std::vector<uint8_t> small_buff(1);
+  std::vector<uint8_t> one_gb(1073741824);
+
+  buf.write(&small_buff[0], small_buff.size());
+  buf.write(&one_gb[0], one_gb.size());
+  BOOST_CHECK_THROW(buf.write(&one_gb[0], one_gb.size()), TTransportException);
+}
+#endif
+
 BOOST_AUTO_TEST_SUITE_END()

Reply via email to