orbisai0security commented on PR #73: URL: https://github.com/apache/apr/pull/73#issuecomment-4471676980
Thanks for the review. I agree that the current description overstates the issue and incorrectly frames this as a confirmed critical overflow. I’ll revise the PR to narrow it to defensive hardening only. In particular, I’ll remove the “five memcpy calls” / “critical severity” language and keep only the allocation-failure guard before memcpy(), since calling memcpy with a NULL destination after alloc() failure would be undefined behaviour. For the APR_BUFFER_MAX checks, I understand your point that they do not prove that src->d.mem is actually backed by src->size bytes, so they do not fix the claimed issue. I’m happy to drop those from this PR unless you think they are still useful as a separate invariant check. Would a smaller patch focused only on the alloc() NULL check, with tests/docs adjusted for expected behaviour, be acceptable? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
