mod_mem_cache segfault

From: Bill Stoddard <bill_at_wstoddard.com>
Date: 2002-06-17 22:41:23 CEST

Some more analysis ... The PQ code has an array indexing problem. You can see the problem
at work in cache_pq_remove code:

apr_status_t cache_pq_remove(cache_pqueue_t *q, void* d)
{
    apr_ssize_t posn;
    void *popped = NULL;
    long pri_popped;
    long pri_removed;

posn = q->get(d);

/*
* posn is the position of the entry being removed from the PQ indexed starting from 1.
*/
popped = cache_pq_pop(q);

if (!popped)
return APR_EGENERAL;

    if (d == popped) {
        return APR_SUCCESS;
    }
    pri_popped = q->pri(popped);
    pri_removed = q->pri(d);

q->d[posn] = popped;

/*
* Ooops.... we just whacked entry posn indexed starting from 0, which is not the one we
wanted.
*/

I have also noticed that q->d[0] always points to invalid memory which implies that the
q->d
array may be subject to overflow as well (ie, accessing position 5 in an array of size 5).

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jun 17 22:38:49 2002

This message: [ Message body ]
Next message: Karl Fogel: "Re: svn project website: error in FAQ"
Previous message: Stefan Richter: "svn project website: error in FAQ"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]