pan2 r340 - trunk/pan/data



Author: csk
Date: Fri Jul  4 15:10:52 2008
New Revision: 340
URL: http://svn.gnome.org/viewvc/pan2?rev=340&view=rev

Log:
#535413: fix heap overflow in pan when parsing .nzb files.  Thanks very much to Pavel Polischouk for the patch.


Modified:
   trunk/pan/data/parts.cc
   trunk/pan/data/parts.h

Modified: trunk/pan/data/parts.cc
==============================================================================
--- trunk/pan/data/parts.cc	(original)
+++ trunk/pan/data/parts.cc	Fri Jul  4 15:10:52 2008
@@ -303,8 +303,7 @@
   this->n_parts_total = n_parts_total;
   this->n_parts_found = 0; // they haven't been added yet
 
-  if (n_parts_found > parts.size())
-    parts.resize (n_parts_found);
+  parts.clear();
 }
 
 void
@@ -312,21 +311,10 @@
                        const StringView  & mid,
                        bytes_t             bytes)
 {
-  if (n_parts_found >= parts.size())
-    parts.resize (n_parts_found+1);
-
-  Part& p = *(&parts.front() + n_parts_found++);
-  p.number = number;
-  p.bytes = bytes;
 
   Packer packer;
   pack_message_id (packer, mid, reference_mid);
-  p.len_used = packer.size ();
-  if (p.len_alloced < p.len_used) {
-    delete [] p.packed_mid;
-    p.packed_mid = new char [p.len_used];
-    p.len_alloced = p.len_used;
-  }
+  Part p(number,bytes,packer.size());
   packer.pack (p.packed_mid);
   packed_mids_len += p.len_used;
 
@@ -337,8 +325,9 @@
   assert (mid == tmp);
 #endif
 
-  if (n_parts_total < n_parts_found)
+  if (n_parts_total < ++n_parts_found)
       n_parts_total = n_parts_found;
+  parts.push_back(p);
 }
 
 PartBatch :: Part&
@@ -346,7 +335,7 @@
 {
   number =  that.number;
   bytes =  that.bytes;
-  len_used = len_alloced = that.len_used;
+  len_used = that.len_used;
   delete [] packed_mid;
   packed_mid = new char [len_used];
   memcpy (packed_mid, that.packed_mid, len_used);
@@ -357,11 +346,17 @@
   number (that.number),
   bytes (that.bytes),
   len_used (that.len_used),
-  len_alloced (that.len_used),
   packed_mid (new char [len_used])
 {
   memcpy (packed_mid, that.packed_mid, len_used);
 }
+PartBatch :: Part :: Part (number_t n, bytes_t b, size_t l):
+    number(n),
+    bytes(b),
+    len_used(l),
+    packed_mid(new char [len_used])
+{
+}
 
 void
 PartBatch :: sort (void)

Modified: trunk/pan/data/parts.h
==============================================================================
--- trunk/pan/data/parts.h	(original)
+++ trunk/pan/data/parts.h	Fri Jul  4 15:10:52 2008
@@ -141,10 +141,10 @@
         number_t number;
         bytes_t bytes;
         size_t len_used;
-        size_t len_alloced;
         char * packed_mid;
         Part(): number(0), bytes(0),
-                len_used(0), len_alloced(0), packed_mid(0) {}
+                len_used(0), packed_mid(0) {}
+        Part(number_t n, bytes_t b, size_t l);
         ~Part() { delete [] packed_mid; }
         Part (const Part&);
         Part& operator= (const Part&);



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]