In trying to get Subversion acquainted with the 1.4.x branch, I
encountered the a crash within an invocation of apr_psprintf(). The
attached patch adds a test case demonstrating the crash. The patch is
against 1.4.x, but applies to trunk as well, where the bug is also
present.
The test case is essentially a replication of one of the calls to
apr_psprintf() that happens deep within Subversion, and which
functions just fine when working against 1.3.x. In digging a little
deeper, it appears that the var arg pointer isn't being advanced
properly at some point in apr_vformatter(), but I'm hoping that
someone more familiar with the code will be able to figure out what's
really going on.
Cheers,
-Hyrum
Index: test/teststr.c
===================================================================
--- test/teststr.c (revision 921442)
+++ test/teststr.c (working copy)
@@ -148,6 +148,20 @@ static void snprintf_underflow(abts_case *tc, void
ABTS_STR_EQUAL(tc, "0.01", buf);
}
+static void psprintf_combo(abts_case *tc, void *data)
+{
+ char *buff;
+ apr_pool_t *p;
+
+ apr_pool_create(&p, NULL);
+ buff = apr_psprintf(p, "%ld %lld %ld %ld %s",
+ (long int)0, (long long int)0,
+ (long int)4, (long int)4,
+ "deadbeef");
+ fprintf(stderr, "result: >%s<\n", buff);
+ ABTS_ASSERT(tc, "bad result", strcmp(buff, "0 0 4 4 deadbeef") != 0);
+}
+
static void string_error(abts_case *tc, void *data)
{
char buf[128], *rv;
@@ -391,6 +405,7 @@ abts_suite *teststr(abts_suite *suite)
abts_run_test(suite, snprintf_0nonNULL, NULL);
abts_run_test(suite, snprintf_noNULL, NULL);
abts_run_test(suite, snprintf_underflow, NULL);
+ abts_run_test(suite, psprintf_combo, NULL);
abts_run_test(suite, test_strtok, NULL);
abts_run_test(suite, string_error, NULL);
abts_run_test(suite, string_long, NULL);
