From: Chris B. <buc...@us...> - 2013-05-16 21:50:36
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "sfcb - Small Footprint CIM Broker". The branch, master has been updated via 9255afd068bda71a33b432e3bdff992e85cc2afd (commit) via a695a5fe1419f1e2c330a590437704f402fdeb81 (commit) via 87c2e496998df33b83a90ebc9e7127f5d8a1ce7f (commit) from 1c467d6ccd384f16d9109f43f72675dd2ab1c82a (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 9255afd068bda71a33b432e3bdff992e85cc2afd Author: buccella <buc...@li...> Date: Thu May 16 17:50:18 2013 -0400 [sfcb-tix:#37] indCIMXmlHandler coredumps in IndCIMXMLHandlerInvokeMethod commit a695a5fe1419f1e2c330a590437704f402fdeb81 Author: buccella <buc...@li...> Date: Thu May 16 16:01:34 2013 -0400 [sfcb-tix:#37] indCIMXmlHandler coredumps in IndCIMXMLHandlerInvokeMethod commit 87c2e496998df33b83a90ebc9e7127f5d8a1ce7f Author: buccella <buc...@li...> Date: Thu May 16 15:37:27 2013 -0400 [sfcb-tix:#37] invalid read patches ----------------------------------------------------------------------- Summary of changes: contributions.txt | 4 +++ objectImpl.c | 63 +++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 51 insertions(+), 16 deletions(-) diff --git a/contributions.txt b/contributions.txt index 8b52a52..ad0d74d 100644 --- a/contributions.txt +++ b/contributions.txt @@ -221,3 +221,7 @@ Bas ten Berge Shreyas Deodhar, QLogic ----------------------- 02/27/2013 [sfcb-tix:#24] GetClass Operation does not filter the class + +Jan Safranek, Red Hat +--------------------- +05/16/2013 [sfcb-tix:#37] indCIMXmlHandler coredumps in IndCIMXMLHandlerInvokeMethod with Embedded Instances diff --git a/objectImpl.c b/objectImpl.c index d72c0d2..aa22848 100644 --- a/objectImpl.c +++ b/objectImpl.c @@ -187,7 +187,7 @@ ensureClSpace(ClObjectHdr * hdr, ClSection * sct, int size, int iSize) *t; f = ((char *) hdr) + sct->sectionOffset; t = malloc(max * size); - memcpy(t, f, max * size); + memcpy(t,f,sct->used*size); sct->max = max; setSectionPtr(sct, t); } @@ -230,7 +230,7 @@ addClStringN(ClObjectHdr * hdr, const char *str, unsigned int length) buf->bMax = nmax; buf->bUsed = buf->iUsed = 0; buf->iMax = 16; - setStrIndexPtr(buf, malloc(sizeof(long) * 16)); + setStrIndexPtr(buf, malloc(sizeof(*buf->indexPtr) * 16)); hdr->flags |= HDR_Rebuild; } @@ -244,16 +244,15 @@ addClStringN(ClObjectHdr * hdr, const char *str, unsigned int length) if (!isMallocedStrIndex(buf)) { void *idx = buf->indexPtr; buf->iMax = nmax * 2; - setStrIndexPtr(buf, malloc(buf->iMax * sizeof(long))); - memcpy(buf->indexPtr, idx, nmax * sizeof(long)); + setStrIndexPtr(buf, malloc(buf->iMax * sizeof(*buf->indexPtr))); + memcpy(buf->indexPtr, idx, nmax * sizeof(*buf->indexPtr)); } else { buf->iMax = nmax * 2; - setStrIndexPtr(buf, - realloc(buf->indexPtr, buf->iMax * sizeof(long))); + setStrIndexPtr(buf, realloc(buf->indexPtr, buf->iMax * sizeof(*buf->indexPtr))); } } else { buf->iMax = 16; - setStrIndexPtr(buf, malloc(buf->iMax * sizeof(long))); + setStrIndexPtr(buf, malloc(buf->iMax * sizeof(*buf->indexPtr))); } hdr->flags |= HDR_Rebuild; } @@ -325,7 +324,7 @@ addClArray(ClObjectHdr * hdr, CMPIData d) buf->bMax = nmax; buf->bUsed = buf->iUsed = 0; buf->iMax = 16; - setArrayIndexPtr(buf, malloc(sizeof(long) * 16)); + setArrayIndexPtr(buf, malloc(sizeof(*buf->indexPtr) * 16)); hdr->flags |= HDR_Rebuild; } @@ -339,17 +338,15 @@ addClArray(ClObjectHdr * hdr, CMPIData d) if (!isMallocedArrayIndex(buf)) { void *idx = buf->indexPtr; buf->iMax = nmax * 2; - setArrayIndexPtr(buf, malloc(buf->iMax * sizeof(long))); - memcpy(buf->indexPtr, idx, nmax * sizeof(long)); + setArrayIndexPtr(buf, malloc(buf->iMax * sizeof(*buf->indexPtr))); + memcpy(buf->indexPtr, idx, nmax * sizeof(*buf->indexPtr)); } else { buf->iMax = nmax * 2; - setArrayIndexPtr(buf, - realloc(buf->indexPtr, - buf->iMax * sizeof(long))); + setArrayIndexPtr(buf, realloc(buf->indexPtr, buf->iMax * sizeof(*buf->indexPtr))); } } else { buf->iMax = 16; - setArrayIndexPtr(buf, malloc(buf->iMax * sizeof(long))); + setArrayIndexPtr(buf, malloc(buf->iMax * sizeof(*buf->indexPtr))); } hdr->flags |= HDR_Rebuild; } @@ -507,6 +504,29 @@ replaceClString(ClObjectHdr * hdr, int id, const char *str){ return replaceClStringN(hdr, id, str, 0); } +static int getBufIndexLen(int *indexPtr, int bUsed, int iUsed, int index) +{ + /* + * Find length of 'string' in fb at given index. + * We cannot use strlen, because some items are not strings but embedded + * instances. + * We cannot simply substract fb->indexPtr[index+1] - fb->indexPtr[index], + * because the entries are not consecutive! They are shuffled by + * replaceClStringN(). + * Therefore the only way to find a length of our 'string' is to find + * string, which starts immediately after it. Let's call it 'nearest' + * string. */ + int nearest_start = bUsed; + int our_start = indexPtr[index]; + int i; + for (i = 0; i<iUsed; i++) + if (indexPtr[i] > our_start && indexPtr[i] < nearest_start) { + nearest_start = indexPtr[i]; + } + int len = nearest_start - our_start; + return len; +} + static void replaceClStringN(ClObjectHdr * hdr, int id, const char *str, unsigned int length) { @@ -518,15 +538,20 @@ replaceClStringN(ClObjectHdr * hdr, int id, const char *str, unsigned int length l, u; ClStrBuf *fb; + int *oldIndexPtr; fb = getStrBufPtr(hdr); ts = (char *) malloc(fb->bUsed); fs = &fb->buf[0]; + /* Copy indexPtr from the buffer, so we can compute lengths of items in it.*/ + oldIndexPtr = (int*) malloc(sizeof(int)*fb->iUsed); + memcpy(oldIndexPtr, fb->indexPtr, sizeof(int)*fb->iUsed); + for (u = i = 0; i < fb->iUsed; i++) { if (i != id - 1) { char *f = fs + fb->indexPtr[i]; - l = strlen(f) + 1; + l = getBufIndexLen(oldIndexPtr, fb->bUsed, fb->iUsed, i); fb->indexPtr[i] = u; memcpy(ts + u, f, l); u += l; @@ -535,6 +560,7 @@ replaceClStringN(ClObjectHdr * hdr, int id, const char *str, unsigned int length memcpy(fs, ts, u); fb->bUsed = u; free(ts); + free(oldIndexPtr); i = addClStringN(hdr, str, length); fb = getStrBufPtr(hdr); /* addClString may change the strbufptr */ @@ -558,16 +584,20 @@ removeClObject(ClObjectHdr * hdr, int id) char *ts, *fs; long i, l, u; ClStrBuf *fb; + int *oldIndexPtr; fb = getStrBufPtr(hdr); ts = (char *) malloc(fb->bUsed); /* tmp string buffer */ fs = &fb->buf[0]; + /* Copy indexPtr from the buffer, so we can compute lengths of items in it.*/ + oldIndexPtr = (int*) malloc(sizeof(int)*fb->iUsed); + memcpy(oldIndexPtr, fb->indexPtr, sizeof(int)*fb->iUsed); for (u = i = 0; i < fb->iUsed; i++) { if (i != id - 1) { /* loop through and copy over all _other_ properties */ // fprintf(stderr, "replace: keeping %ld\n", i); char *f = fs + fb->indexPtr[i]; - l = fb->indexPtr[i+1] - fb->indexPtr[i]; + l = getBufIndexLen(oldIndexPtr, fb->bUsed, fb->iUsed, i); /* Bugzilla 74159 - Align the string buffer & null terminate */ /*if (l % sizeof(long) != 0) { @@ -595,6 +625,7 @@ removeClObject(ClObjectHdr * hdr, int id) memcpy(fs, ts, u); fb->bUsed = u; free(ts); + free(oldIndexPtr); fb->iUsed--; /* fixup the item count, since we have one fewer elements */ hooks/post-receive -- sfcb - Small Footprint CIM Broker |