[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

mod_mem_cache segfault

From: Bill Stoddard <bill_at_wstoddard.com>
Date: 2002-06-17 22:41:23 CEST

Some more analysis ... The PQ code has an array indexing problem. You can see the problem
at work in cache_pq_remove code:

apr_status_t cache_pq_remove(cache_pqueue_t *q, void* d)
{
    apr_ssize_t posn;
    void *popped = NULL;
    long pri_popped;
    long pri_removed;

    posn = q->get(d);

/*
 * posn is the position of the entry being removed from the PQ indexed starting from 1.
 */
    popped = cache_pq_pop(q);

    if (!popped)
        return APR_EGENERAL;

    if (d == popped) {
        return APR_SUCCESS;
    }
    pri_popped = q->pri(popped);
    pri_removed = q->pri(d);

    q->d[posn] = popped;

/*
 * Ooops.... we just whacked entry posn indexed starting from 0, which is not the one we
wanted.
 */

I have also noticed that q->d[0] always points to invalid memory which implies that the
q->d
array may be subject to overflow as well (ie, accessing position 5 in an array of size 5).

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jun 17 22:38:49 2002

This is an archived mail posted to the Subversion Dev mailing list.