See the attached file for the diff output from "diff -C3". Thanks.
-- Kevin
--- Kevin Wang <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> In the past a few days, I was trying to figure out a shared memory corruption
> problem in my module. Eventually I found this bug in apr_rmm.c's
> find_block_of_size() function.
>
> It is severe enough to mess up the whole rmm memory blocks and make apr_rmm_*
> functions totally not workable. The source code version I am referring to is
> 2.0.48.
>
> Thanks!
>
> -- Kevin
>
> Here are the problems and the fixes:
>
> 1. in apr_rmm.c: line 129
>
> if (bestsize - size > sizeof(struct rmm_block_t*)) {
>
> >>>
>
> if (bestsize - size > sizeof(rmm_block_t)) {
>
>
> 2. in apr_rmm.c: line 141
>
> blk = (rmm_block_t*)((char*)rmm->base + blk->next);
>
> >>>
>
> blk = (rmm_block_t*)((char*)rmm->base + new->next);
>
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree*** apr_rmm.c Fri Dec 5 16:47:36 2003
--- apr_rmm.c.new Fri Dec 5 16:46:52 2003
***************
*** 126,132 ****
next = blk->next;
}
! if (bestsize - size > sizeof(struct rmm_block_t*)) {
struct rmm_block_t *blk = (rmm_block_t*)((char*)rmm->base + best);
struct rmm_block_t *new = (rmm_block_t*)((char*)rmm->base + best +
size);
--- 126,132 ----
next = blk->next;
}
! if (bestsize - size > sizeof(rmm_block_t)) {
struct rmm_block_t *blk = (rmm_block_t*)((char*)rmm->base + best);
struct rmm_block_t *new = (rmm_block_t*)((char*)rmm->base + best +
size);
***************
*** 138,144 ****
blk->next = best + size;
if (new->next) {
! blk = (rmm_block_t*)((char*)rmm->base + blk->next);
blk->prev = best + size;
}
}
--- 138,144 ----
blk->next = best + size;
if (new->next) {
! blk = (rmm_block_t*)((char*)rmm->base + new->next);
blk->prev = best + size;
}
}
