axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stipcevic, Marc" <>
Subject Bug in axutil_stream_write_basic
Date Wed, 10 Aug 2011 14:28:24 GMT

I found a bug in the file stream.c in the project axutil
If (Line 178) AXIS2_FREE(env->allocator, stream->buffer_head); frees a stream which
len == his max_len a heap corruption appears
because in allocater.c (Line 120) the function axutil_allocator_free_impl frees a pointer
with wrong size (1 byte to much).

This error could only happen if the length of the buffer is a multiple of 2048 because in
the file stream.c in the function
axutil_stream_write_basic (Line 306) if(new_len > stream->max_len) the string become
only larger if the max_len is bigger than the
len not if max_len == len.
If this case happen at the end of the programm a heap corruption appears.

The Solution would be
if(new_len >= stream->max_len)
instead of
if(new_len > stream->max_len)

Did someone knows this bug and exists a offical patch / fix for it?

Best Regards ( and sorry for my terrible english)

Marc Stipcevic

View raw message