Segmentation fault in dav_svn_get_txn

Hi,

I have discovered a segmentation fault in
subversion/mod_dav_svn/activity.c (Subversion 0.37.0) in function
dav_svn_get_txn. It unconditionally invokes apr_dbm_freedatum(dbm,
value) even if value hasn't been initialized. Obviously, the call to
apr_dbm_freedatum should be moved up two lines (just after the
apr_pstrdup). Here is the fixed version:

const char *dav_svn_get_txn(const dav_svn_repos *repos,
                            const char *activity_id)
{
  apr_dbm_t *dbm;
  apr_status_t status;
  const char *pathname;
  apr_datum_t key;
  apr_datum_t value;
  const char *txn_name = NULL;

  pathname = svn_path_join(repos->fs_path, ACTIVITY_DB, repos->pool);
  status = apr_dbm_open(&dbm, pathname, APR_DBM_READONLY,
                        APR_OS_DEFAULT, repos->pool);
  if (status != APR_SUCCESS)
    {
      /* ### let's just assume that any error means the DB doesn't exist,
         ### therefore, the activity/transaction doesn't exist */
      return NULL;
    }

  key.dptr = (char *)activity_id;
  key.dsize = strlen(activity_id) + 1; /* null-term'd */
  if (apr_dbm_exists(dbm, key))
    {
      status = apr_dbm_fetch(dbm, key, &value);
      if (status != APR_SUCCESS)
        {
          /* ### again: assume failure means it doesn't exist */
          apr_dbm_close(dbm);
          return NULL;
        }
      txn_name = apr_pstrdup(repos->pool, value.dptr); /* null-term'd */
      apr_dbm_freedatum(dbm, value);
    }

  apr_dbm_close(dbm);

  return txn_name;
}

bye, Christof

-- 
http://cmeerw.org
mailto cmeerw at web.de
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org