Bug 2339: segfault in MemBuf::append()
This segfault was caused by a buffer overrun in Range header processing.
The fix re-arranges the length calculations to make sense.
StoreIOBuffer tempBuffer;
char *buf = next()->readBuffer.data;
- char *body_buf = buf + reply->hdr_sz - next()->readBuffer.offset;
+ char *body_buf = buf + reply->hdr_sz;
//Server side may disable ranges under some circumstances.
if ((!http->request->range))
next()->readBuffer.offset = 0;
+ body_buf -= next()->readBuffer.offset;
+
if (next()->readBuffer.offset != 0) {
if (next()->readBuffer.offset > body_size) {
/* Can't use any of the body we received. send nothing */