diff options
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | runtime/stream.c | 10 | ||||
-rw-r--r-- | runtime/stream.h | 4 |
3 files changed, 14 insertions, 10 deletions
@@ -88,6 +88,16 @@ Version 4.5.2 [DEVEL] (rgerhards), 2009-07-?? does most probably not have any effect in practice. - bugfix: if tcp listen port could not be created, no error message was emitted +- bugfix: potential segfault in output file writer (omfile) + In async write mode, we use modular arithmetic to index the output + buffer array. However, the counter variables accidently were signed, + thus resulting in negative indizes after integer overflow. That in turn + could lead to segfaults, but was depending on the memory layout of + the instance in question (which in turn depended on a number of + variables, like compile settings but also configuration). The counters + are now unsigned (as they always should have been) and so the dangling + mis-indexing does no longer happen. This bug potentially affected all + installations, even if only some may actually have seen a segfault. --------------------------------------------------------------------------- Version 4.5.1 [DEVEL] (rgerhards), 2009-07-15 - CONFIG CHANGE: $HUPisRestart default is now "off". We are doing this diff --git a/runtime/stream.c b/runtime/stream.c index 2abfb7fe..b1abb27e 100644 --- a/runtime/stream.c +++ b/runtime/stream.c @@ -628,8 +628,7 @@ static rsRetVal strmConstructFinalize(strm_t *pThis) pthread_cond_init(&pThis->notEmpty, 0); pthread_cond_init(&pThis->isEmpty, 0); pThis->iCnt = pThis->iEnq = pThis->iDeq = 0; - //for(i = 0 ; i < STREAM_ASYNC_NUMBUFS ; ++i) { - for(i = 0 ; i < 1 ; ++i) { // HOTFIX!!! + for(i = 0 ; i < STREAM_ASYNC_NUMBUFS ; ++i) { CHKmalloc(pThis->asyncBuf[i].pBuf = (uchar*) malloc(sizeof(uchar) * pThis->sIOBufSize)); } pThis->pIOBuf = pThis->asyncBuf[0].pBuf; @@ -844,10 +843,7 @@ doAsyncWriteInternal(strm_t *pThis, size_t lenBuf) d_pthread_cond_wait(&pThis->notFull, &pThis->mut); pThis->asyncBuf[pThis->iEnq % STREAM_ASYNC_NUMBUFS].lenBuf = lenBuf; - pThis->asyncBuf[pThis->iEnq % STREAM_ASYNC_NUMBUFS].pBuf = pThis->pIOBuf; - //pThis->pIOBuf = pThis->asyncBuf[++pThis->iEnq % STREAM_ASYNC_NUMBUFS].pBuf; - ++pThis->iEnq; - CHKmalloc(pThis->pIOBuf = (uchar*) malloc(sizeof(uchar) * pThis->sIOBufSize)); + pThis->pIOBuf = pThis->asyncBuf[++pThis->iEnq % STREAM_ASYNC_NUMBUFS].pBuf; pThis->bDoTimedWait = 0; /* everything written, no need to timeout partial buffer writes */ if(++pThis->iCnt == 1) @@ -941,8 +937,6 @@ asyncWriterThread(void *pPtr) iDeq = pThis->iDeq++ % STREAM_ASYNC_NUMBUFS; doWriteInternal(pThis, pThis->asyncBuf[iDeq].pBuf, pThis->asyncBuf[iDeq].lenBuf); // TODO: error check????? 2009-07-06 - free(pThis->asyncBuf[iDeq].pBuf); - pThis->asyncBuf[iDeq].pBuf = NULL; --pThis->iCnt; if(pThis->iCnt < STREAM_ASYNC_NUMBUFS) { diff --git a/runtime/stream.h b/runtime/stream.h index c251e5c4..9577d704 100644 --- a/runtime/stream.h +++ b/runtime/stream.h @@ -131,8 +131,8 @@ typedef struct strm_s { pthread_cond_t notFull; pthread_cond_t notEmpty; pthread_cond_t isEmpty; - short iEnq; - short iDeq; + unsigned short iEnq; /* this MUST be unsigned as we use module arithmetic (else invalid indexing happens!) */ + unsigned short iDeq; /* this MUST be unsigned as we use module arithmetic (else invalid indexing happens!) */ short iCnt; /* current nbr of elements in buffer */ struct { uchar *pBuf; |