From 3da87009edcf6dd8c2db1ae710742011f62f2121 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Mon, 12 May 2008 14:28:21 +1200 Subject: [PATCH] Author: Finn Thain Bug 2339: segfault in MemBuf::append() This segfault was caused by a buffer overrun in Range header processing. The fix re-arranges the length calculations to make sense. --- src/client_side_reply.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index cd6d0c93d0..66168bab7f 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1782,13 +1782,15 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed) StoreIOBuffer tempBuffer; char *buf = next()->readBuffer.data; - char *body_buf = buf + reply->hdr_sz - next()->readBuffer.offset; + char *body_buf = buf + reply->hdr_sz; //Server side may disable ranges under some circumstances. if ((!http->request->range)) next()->readBuffer.offset = 0; + body_buf -= next()->readBuffer.offset; + if (next()->readBuffer.offset != 0) { if (next()->readBuffer.offset > body_size) { /* Can't use any of the body we received. send nothing */ -- 2.47.2