From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 3 Jul 2009 00:56:44 +0000 (+1200)
Subject: Author: Alex Rousskov <rousskov@measurement-factory.com>
X-Git-Tag: SQUID_3_1_0_10~26
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d35ce0fc54e64d0a7eabfc6852cab73c1b0c3bf7;p=thirdparty%2Fsquid.git

Author: Alex Rousskov <rousskov@measurement-factory.com>
Bug 2695: String length overflows on append, leading to segfaults

Long-term patch for 3.0. This softens the error, but does not
resolve the issue completely for ESI.

Short-term patch for 3.1. The limit is arbitrary and may be fixed
at some point by a better patch. This one will work however.
---

diff --git a/src/String.cc b/src/String.cc
index a68af96883..9fc2ad80a4 100644
--- a/src/String.cc
+++ b/src/String.cc
@@ -193,6 +193,7 @@ String::append(const char *str, int len)
     } else {
         // Create a temporary string and absorb it later.
         String snew;
+        assert(len_ + len < 65536); // otherwise snew.len_ overflows below
         snew.len_ = len_ + len;
         snew.allocBuffer(snew.len_ + 1);