Bug in svn_stringbuf_insert and svn_stringbuf_replace
From: Julian Foad <julianfoad_at_btopenworld.com>
Date: Fri, 9 Jan 2015 17:52:54 +0000
I just spotted this.
svn_stringbuf_insert() contains this:
temp = apr_pstrndup(str->pool, bytes, count);
That's wrong for an arbitrary array of bytes, because it will stop copying at the first null byte.
Using apr_pmemdup() should fix it.
Same in svn_stringbuf_replace().
Inadequate test coverage. It is tested only with non-zero-length strings of ASCII characters. (Another scenario not tested is inserting a string that overlaps the existing string and starts or ends at the existing string's start or end or end-plus-null.)
This is an archived mail posted to the Subversion Dev mailing list.