From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 12 May 2008 02:28:21 +0000 (+1200)
Subject: Author: Finn Thain <fthain@telegraphics.com.au>
X-Git-Tag: SQUID_3_0_STABLE6~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3da87009edcf6dd8c2db1ae710742011f62f2121;p=thirdparty%2Fsquid.git

Author: Finn Thain <fthain@telegraphics.com.au>
Bug 2339: segfault in MemBuf::append()

This segfault was caused by a buffer overrun in Range header processing.
The fix re-arranges the length calculations to make sense.
---

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index cd6d0c93d0..66168bab7f 100644
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1782,13 +1782,15 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed)
 
     StoreIOBuffer tempBuffer;
     char *buf = next()->readBuffer.data;
-    char *body_buf = buf + reply->hdr_sz - next()->readBuffer.offset;
+    char *body_buf = buf + reply->hdr_sz;
 
     //Server side may disable ranges under some circumstances.
 
     if ((!http->request->range))
         next()->readBuffer.offset = 0;
 
+    body_buf -= next()->readBuffer.offset;
+
     if (next()->readBuffer.offset != 0) {
         if (next()->readBuffer.offset > body_size) {
             /* Can't use any of the body we received. send nothing */