Author: Finn Thain <fthain@telegraphics.com.au>

Bug 2339: segfault in MemBuf::append()

This segfault was caused by a buffer overrun in Range header processing.
The fix re-arranges the length calculations to make sense.

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index 85caea4a45dfff773e749ddfc345e9e24afd82bf..838114e704bc62b091fbc5ff10dedb416db1e1af 100644 (file)
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1831,13 +1831,15 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed)
 
     StoreIOBuffer tempBuffer;
     char *buf = next()->readBuffer.data;
-    char *body_buf = buf + reply->hdr_sz - next()->readBuffer.offset;
+    char *body_buf = buf + reply->hdr_sz;
 
     //Server side may disable ranges under some circumstances.
 
     if ((!http->request->range))
         next()->readBuffer.offset = 0;
 
+    body_buf -= next()->readBuffer.offset;
+
     if (next()->readBuffer.offset != 0) {
         if (next()->readBuffer.offset > body_size) {
             /* Can't use any of the body we received. send nothing */