Good catch and thanks for the suggested fix. I will have a look and commit this for upcoming 1.7.0 release.
Samisa Abeysinghe http://samisa-abeysinghe.blogspot.com/ On Wed, Aug 10, 2011 at 7:58 PM, Stipcevic, Marc < [email protected]> wrote: > ** > Hi, > > I found a bug in the file stream.c in the project axutil > If (Line 178) AXIS2_FREE(env->allocator, stream->buffer_head); frees a > stream which len == his max_len a heap corruption appears > because in allocater.c (Line 120) the function axutil_allocator_free_impl > frees a pointer with wrong size (1 byte to much). > > This error could only happen if the length of the buffer is a multiple of > 2048 because in the file stream.c in the function > axutil_stream_write_basic (Line 306) if(new_len > stream->max_len) the > string become only larger if the max_len is bigger than the > len not if max_len == len. > If this case happen at the end of the programm a heap corruption appears. > > The Solution would be > if(new_len >= stream->max_len) > instead of > if(new_len > stream->max_len) > > Did someone knows this bug and exists a offical patch / fix for it? > > Best Regards ( and sorry for my terrible english) > > Marc Stipcevic > >
