Package: subversion
Version: 1.8.5-1
Severity: normal
Tags: upstream
There is a bug in Subversion 1.8 libsvn_subr that makes 32-bit svnserve
hang after some period of time doing an infinite loop inside
ensure_data_insertable() because cache->data_used becomes a very big
value after adding an unsigned representation of a negative value to it,
and ensure_data_insertable() never removes entries smaller than
cache->data_used / cache->used_entries / 8.
A patch is attached; this is definitely an upstream issue, so I'll also
send it to them (if everything will be OK with
http://subversion.tigris.org/ - now it opens with errors).This patch fixes the bug which makes 32-bit svnserve hang after some period of
time
doing an infinite loop inside ensure_data_insertable() because cache->data_used
becomes
a very big value, and ensure_data_insertable() never removes entries smaller
than
cache->data_used / cache->used_entries / 8.
--- a/subversion/libsvn_subr/cache-membuffer.c 2014-02-12 21:42:12.483208244
+0000
+++ b/subversion/libsvn_subr/cache-membuffer.c 2014-02-12 21:45:54.275215290
+0000
@@ -1374,7 +1374,9 @@ membuffer_cache_set_internal(svn_membuff
* the old spot, just re-use that space. */
if (entry && ALIGN_VALUE(entry->size) >= size && buffer)
{
- cache->data_used += size - entry->size;
+ /* not "+=" because (size - entry_size) is almost always a big 32-bit
+ unsigned representation of a negative value on 32-bit platforms */
+ cache->data_used = cache->data_used + size - entry->size;
entry->size = size;
#ifdef SVN_DEBUG_CACHE_MEMBUFFER
