From e85eb4e15409e1047367ecc7d1092729a2dc563a Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 10 May 2008 02:27:20 +1200
Subject: [PATCH] Author: Finn Thain <fthain@telegraphics.com.au> Bug 2339:
 segfault in MemBuf::append()

This segfault was caused by a buffer overrun in Range header processing.
The fix re-arranges the length calculations to make sense.
---
 src/client_side_reply.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index 85caea4a45..838114e704 100644
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1831,13 +1831,15 @@ clientReplyContext::processReplyAccessResult(bool accessAllowed)
 
     StoreIOBuffer tempBuffer;
     char *buf = next()->readBuffer.data;
-    char *body_buf = buf + reply->hdr_sz - next()->readBuffer.offset;
+    char *body_buf = buf + reply->hdr_sz;
 
     //Server side may disable ranges under some circumstances.
 
     if ((!http->request->range))
         next()->readBuffer.offset = 0;
 
+    body_buf -= next()->readBuffer.offset;
+
     if (next()->readBuffer.offset != 0) {
         if (next()->readBuffer.offset > body_size) {
             /* Can't use any of the body we received. send nothing */
-- 
2.47.3