DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=25550>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=25550 apr_rmm corruption when allocating too much [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|Other |Low ------- Additional Comments From [EMAIL PROTECTED] 2004-03-10 17:04 ------- I have just ran into this problem and I traced through the code and I know where the problem is comming from. First, what I've seen is exactly what Philippe M. Chiasson has described, if you try to allocate memory by calling apr_rmm_malloc and there is not enough memory left in RMM, it will simply overwrite over previously allocated memory causing a segmentaiton fault when one tries to access the overwritten memory. I traced through the code and I managed to find the source of the problem: in apr_rmm.c line 129 (inside the function find_block_of_size), there is a line that reads: if (bestsize - size > sizeof(struct rmm_block_t*)) { this line has unsigned arithmetic error, when there is no enough memory left to satisfy the requested size, bestsize value is 0. Say requested size is 28, So 0 - 28 = -28 but because bestsize and size are (unsigned it) that minus number becomes a huge positive number, 4294967268, which is ofcourse > sizeof(struct rmm_block_t*) causing the if statement to evaluate to true instead of false. Now things get messed up really bad, since best is 0 so this causes an (rmm_block_t) blk to get writtin overtop of rmm->base messing up memory that's already in use and eventually a crash when that memory is referenced. I suggest that line changes to the following: if (bestsize > sizeof(struct rmm_block_t*) + size ) { --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
