On Thu, Apr 2, 2020 at 11:29 AM Denis Kovalchuk <denis.kovalc...@visualsvn.com> wrote: > I think I have found an undefined behavior in the code that constructs ID for > per-transaction DAG node cache. > > In make_txn_root() function, the txn variable of type svn_fs_fs__id_part_t * > is passed to apr_pstrcat() function, leading to the undefined behavior. > I can assume that originally it was planned to pass a textual representation > of the txn, instead of passing the txn itself. > > Although ID is not used anywhere, except debug-only calls of > svn_cache__get_info() and svn_cache__format_info() functions, the improper > call > to apr_pstrcat() may cause a potential crash, etc.
Good catch! This definitely looks like a bug, that was never caught because apr_pstrcat() is a variadic function with NO type checking!! Thanks, Nathan
