[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: unitialised memory read, a suspicious MD5 checksum?

From: Philip Martin <philip_at_codematters.co.uk>
Date: 2002-05-15 02:43:50 CEST

cmpilato@collab.net writes:

> Philip Martin <philip@codematters.co.uk> writes:
>
> > After a little investigation it appears to be a suspicious md5
> > checksum. Running the commit without valgrind and setting a breakpoint
> > in svn_fs__unparse_representation_skel at fs_skels.c:668 I see
>
> Yeah, we simply aren't using the MD5 checksum field right now -- it's
> one of the many things on the "to-do" list.

Ok, I still think we might have a bug in the current code.

Looking at svn_fs__rep_deltify() it calls svn_txdelta() to create
txdelta_stream. This does not initialise the digest member. Later
svn_fs__rep_deltify() calls svn_txdelta_md5_digest() to retrieve the
digest, it has still not been initialised. It gets memcpy'd into a
chunk, and later memcpy'd into a skel. This is the memory that is
used in use_implict() to query the skel_char_type table.

Thus the arbitrary unitialised value of digest in svn_txdelta()
determines whether use_implict() returns 1 or 0. (I checked, using
the debugger, whatever value I put into digest in svn_txdelta()
appears when use_implict() is called.) This looks wrong to me, but I
don't know enough about the code to say what the initial value of
digest should be.

-- 
Philip
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed May 15 02:50:43 2002

This is an archived mail posted to the Subversion Dev mailing list.